stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 14 Releases Wiki Activity

up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Reachability Corpus Validation / validate-corpus (push) Has been cancelled
Details
Reachability Corpus Validation / validate-ground-truths (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Reachability Corpus Validation / determinism-check (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-14 15:50:38 +02:00
parent f1a39c4ce3
commit 233873f620
249 changed files with 29746 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
.gitea/workflows/aoc-guard.yml
View File

@@ -56,10 +56,41 @@ jobs:
dotnet build src/Authority/StellaOps.Authority.Ingestion/StellaOps.Authority.Ingestion.csproj -c Release /p:RunAnalyzers=true /p:TreatWarningsAsErrors=true
dotnet build src/Excititor/StellaOps.Excititor.Ingestion/StellaOps.Excititor.Ingestion.csproj -c Release /p:RunAnalyzers=true /p:TreatWarningsAsErrors=true
- name: Run analyzer tests
- name: Run analyzer tests with coverage
run: |
mkdir -p $ARTIFACT_DIR
dotnet test src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj -c Release --logger "trx;LogFileName=aoc-tests.trx" --results-directory $ARTIFACT_DIR
dotnet test src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj -c Release \
--settings src/Aoc/aoc.runsettings \
--collect:"XPlat Code Coverage" \
--logger "trx;LogFileName=aoc-analyzers-tests.trx" \
--results-directory $ARTIFACT_DIR
- name: Run AOC library tests with coverage
run: |
dotnet test src/Aoc/__Tests/StellaOps.Aoc.Tests/StellaOps.Aoc.Tests.csproj -c Release \
--settings src/Aoc/aoc.runsettings \
--collect:"XPlat Code Coverage" \
--logger "trx;LogFileName=aoc-lib-tests.trx" \
--results-directory $ARTIFACT_DIR
- name: Run AOC CLI tests with coverage
run: |
dotnet test src/Aoc/__Tests/StellaOps.Aoc.Cli.Tests/StellaOps.Aoc.Cli.Tests.csproj -c Release \
--settings src/Aoc/aoc.runsettings \
--collect:"XPlat Code Coverage" \
--logger "trx;LogFileName=aoc-cli-tests.trx" \
--results-directory $ARTIFACT_DIR
- name: Generate coverage report
run: |
dotnet tool install --global dotnet-reportgenerator-globaltool || true
reportgenerator \
-reports:"$ARTIFACT_DIR/**/coverage.cobertura.xml" \
-targetdir:"$ARTIFACT_DIR/coverage-report" \
-reporttypes:"Html;Cobertura;TextSummary" || true
if [ -f "$ARTIFACT_DIR/coverage-report/Summary.txt" ]; then
cat "$ARTIFACT_DIR/coverage-report/Summary.txt"
fi
- name: Upload artifacts
uses: actions/upload-artifact@v4
@@ -96,13 +127,37 @@ jobs:
- name: Run AOC verify
env:
STAGING_MONGO_URI: ${{ secrets.STAGING_MONGO_URI || vars.STAGING_MONGO_URI }}
STAGING_POSTGRES_URI: ${{ secrets.STAGING_POSTGRES_URI || vars.STAGING_POSTGRES_URI }}
run: |
if [ -z "${STAGING_MONGO_URI:-}" ]; then
echo "::warning::STAGING_MONGO_URI not set; skipping aoc verify"
mkdir -p $ARTIFACT_DIR
# Prefer PostgreSQL, fall back to MongoDB (legacy)
if [ -n "${STAGING_POSTGRES_URI:-}" ]; then
echo "Using PostgreSQL for AOC verification"
dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify \
--since "$AOC_VERIFY_SINCE" \
--postgres "$STAGING_POSTGRES_URI" \
--output "$ARTIFACT_DIR/aoc-verify.json" \
--ndjson "$ARTIFACT_DIR/aoc-verify.ndjson" \
--verbose || VERIFY_EXIT=$?
elif [ -n "${STAGING_MONGO_URI:-}" ]; then
echo "Using MongoDB for AOC verification (deprecated)"
dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify \
--since "$AOC_VERIFY_SINCE" \
--mongo "$STAGING_MONGO_URI" \
--output "$ARTIFACT_DIR/aoc-verify.json" \
--ndjson "$ARTIFACT_DIR/aoc-verify.ndjson" \
--verbose || VERIFY_EXIT=$?
else
echo "::warning::Neither STAGING_POSTGRES_URI nor STAGING_MONGO_URI set; running dry-run verification"
dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify \
--since "$AOC_VERIFY_SINCE" \
--postgres "placeholder" \
--dry-run \
--verbose
exit 0
fi
mkdir -p $ARTIFACT_DIR
dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify --since "$AOC_VERIFY_SINCE" --mongo "$STAGING_MONGO_URI" --output "$ARTIFACT_DIR/aoc-verify.json" --ndjson "$ARTIFACT_DIR/aoc-verify.ndjson" || VERIFY_EXIT=$?
if [ -n "${VERIFY_EXIT:-}" ] && [ "${VERIFY_EXIT}" -ne 0 ]; then
echo "::error::AOC verify reported violations"; exit ${VERIFY_EXIT}
fi

267
.gitea/workflows/reachability-corpus-ci.yml Normal file
View File

@@ -0,0 +1,267 @@
name: Reachability Corpus Validation
on:
workflow_dispatch:
push:
branches: [ main ]
paths:
- 'tests/reachability/corpus/**'
- 'tests/reachability/fixtures/**'
- 'tests/reachability/StellaOps.Reachability.FixtureTests/**'
- 'scripts/reachability/**'
- '.gitea/workflows/reachability-corpus-ci.yml'
pull_request:
paths:
- 'tests/reachability/corpus/**'
- 'tests/reachability/fixtures/**'
- 'tests/reachability/StellaOps.Reachability.FixtureTests/**'
- 'scripts/reachability/**'
- '.gitea/workflows/reachability-corpus-ci.yml'
jobs:
validate-corpus:
runs-on: ubuntu-22.04
env:
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
TZ: UTC
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup .NET 10 RC
uses: actions/setup-dotnet@v4
with:
dotnet-version: 10.0.100
include-prerelease: true
- name: Verify corpus manifest integrity
run: |
echo "Verifying corpus manifest..."
cd tests/reachability/corpus
if [ ! -f manifest.json ]; then
echo "::error::Corpus manifest.json not found"
exit 1
fi
echo "Manifest exists, checking JSON validity..."
python3 -c "import json; json.load(open('manifest.json'))"
echo "Manifest is valid JSON"
- name: Verify reachbench index integrity
run: |
echo "Verifying reachbench fixtures..."
cd tests/reachability/fixtures/reachbench-2025-expanded
if [ ! -f INDEX.json ]; then
echo "::error::Reachbench INDEX.json not found"
exit 1
fi
echo "INDEX exists, checking JSON validity..."
python3 -c "import json; json.load(open('INDEX.json'))"
echo "INDEX is valid JSON"
- name: Restore test project
run: dotnet restore tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj --configfile nuget.config
- name: Build test project
run: dotnet build tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj -c Release --no-restore
- name: Run corpus fixture tests
run: |
dotnet test tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj \
-c Release \
--no-build \
--logger "trx;LogFileName=corpus-results.trx" \
--results-directory ./TestResults \
--filter "FullyQualifiedName~CorpusFixtureTests"
- name: Run reachbench fixture tests
run: |
dotnet test tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj \
-c Release \
--no-build \
--logger "trx;LogFileName=reachbench-results.trx" \
--results-directory ./TestResults \
--filter "FullyQualifiedName~ReachbenchFixtureTests"
- name: Verify deterministic hashes
run: |
echo "Verifying SHA-256 hashes in corpus manifest..."
chmod +x scripts/reachability/verify_corpus_hashes.sh || true
if [ -f scripts/reachability/verify_corpus_hashes.sh ]; then
scripts/reachability/verify_corpus_hashes.sh
else
echo "Hash verification script not found, using inline verification..."
cd tests/reachability/corpus
python3 << 'EOF'
import json
import hashlib
import sys
import os
with open('manifest.json') as f:
manifest = json.load(f)
errors = []
for entry in manifest:
case_id = entry['id']
lang = entry['language']
case_dir = os.path.join(lang, case_id)
for filename, expected_hash in entry['files'].items():
filepath = os.path.join(case_dir, filename)
if not os.path.exists(filepath):
errors.append(f"{case_id}: missing {filename}")
continue
with open(filepath, 'rb') as f:
actual_hash = hashlib.sha256(f.read()).hexdigest()
if actual_hash != expected_hash:
errors.append(f"{case_id}: {filename} hash mismatch (expected {expected_hash}, got {actual_hash})")
if errors:
for err in errors:
print(f"::error::{err}")
sys.exit(1)
print(f"All {len(manifest)} corpus entries verified")
EOF
fi
- name: Upload test results
uses: actions/upload-artifact@v4
if: always()
with:
name: corpus-test-results-${{ github.run_number }}
path: ./TestResults/*.trx
retention-days: 14
validate-ground-truths:
runs-on: ubuntu-22.04
env:
TZ: UTC
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Validate ground-truth schema version
run: |
echo "Validating ground-truth files..."
cd tests/reachability
python3 << 'EOF'
import json
import os
import sys
EXPECTED_SCHEMA = "reachbench.reachgraph.truth/v1"
ALLOWED_VARIANTS = {"reachable", "unreachable"}
errors = []
# Validate corpus ground-truths
corpus_manifest = 'corpus/manifest.json'
if os.path.exists(corpus_manifest):
with open(corpus_manifest) as f:
manifest = json.load(f)
for entry in manifest:
case_id = entry['id']
lang = entry['language']
truth_path = os.path.join('corpus', lang, case_id, 'ground-truth.json')
if not os.path.exists(truth_path):
errors.append(f"corpus/{case_id}: missing ground-truth.json")
continue
with open(truth_path) as f:
truth = json.load(f)
if truth.get('schema_version') != EXPECTED_SCHEMA:
errors.append(f"corpus/{case_id}: wrong schema_version")
if truth.get('variant') not in ALLOWED_VARIANTS:
errors.append(f"corpus/{case_id}: invalid variant '{truth.get('variant')}'")
if not isinstance(truth.get('paths'), list):
errors.append(f"corpus/{case_id}: paths must be an array")
# Validate reachbench ground-truths
reachbench_index = 'fixtures/reachbench-2025-expanded/INDEX.json'
if os.path.exists(reachbench_index):
with open(reachbench_index) as f:
index = json.load(f)
for case in index.get('cases', []):
case_id = case['id']
case_path = case.get('path', os.path.join('cases', case_id))
for variant in ['reachable', 'unreachable']:
truth_path = os.path.join('fixtures/reachbench-2025-expanded', case_path, 'images', variant, 'reachgraph.truth.json')
if not os.path.exists(truth_path):
errors.append(f"reachbench/{case_id}/{variant}: missing reachgraph.truth.json")
continue
with open(truth_path) as f:
truth = json.load(f)
if not truth.get('schema_version'):
errors.append(f"reachbench/{case_id}/{variant}: missing schema_version")
if not isinstance(truth.get('paths'), list):
errors.append(f"reachbench/{case_id}/{variant}: paths must be an array")
if errors:
for err in errors:
print(f"::error::{err}")
sys.exit(1)
print("All ground-truth files validated successfully")
EOF
determinism-check:
runs-on: ubuntu-22.04
env:
TZ: UTC
needs: validate-corpus
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Verify JSON determinism (sorted keys, no trailing whitespace)
run: |
echo "Checking JSON determinism..."
cd tests/reachability
python3 << 'EOF'
import json
import os
import sys
def check_json_sorted(filepath):
"""Check if JSON has sorted keys (deterministic)."""
with open(filepath) as f:
content = f.read()
parsed = json.loads(content)
reserialized = json.dumps(parsed, sort_keys=True, indent=2)
# Normalize line endings
content_normalized = content.replace('\r\n', '\n').strip()
reserialized_normalized = reserialized.strip()
return content_normalized == reserialized_normalized
errors = []
json_files = []
# Collect JSON files from corpus
for root, dirs, files in os.walk('corpus'):
for f in files:
if f.endswith('.json'):
json_files.append(os.path.join(root, f))
# Check determinism
non_deterministic = []
for filepath in json_files:
try:
if not check_json_sorted(filepath):
non_deterministic.append(filepath)
except json.JSONDecodeError as e:
errors.append(f"{filepath}: invalid JSON - {e}")
if non_deterministic:
print(f"::warning::Found {len(non_deterministic)} non-deterministic JSON files (keys not sorted or whitespace differs)")
for f in non_deterministic[:10]:
print(f" - {f}")
if len(non_deterministic) > 10:
print(f" ... and {len(non_deterministic) - 10} more")
if errors:
for err in errors:
print(f"::error::{err}")
sys.exit(1)
print(f"Checked {len(json_files)} JSON files")
EOF

2
AGENTS.md
View File

@@ -126,7 +126,7 @@ It ships as containerised building blocks; each module owns a clear boundary and
| Scanner | `src/Scanner/StellaOps.Scanner.WebService`<br>`src/Scanner/StellaOps.Scanner.Worker`<br>`src/Scanner/__Libraries/StellaOps.Scanner.*` | `docs/modules/scanner/architecture.md` |
| Scheduler | `src/Scheduler/StellaOps.Scheduler.WebService`<br>`src/Scheduler/StellaOps.Scheduler.Worker` | `docs/modules/scheduler/architecture.md` |
| CLI | `src/Cli/StellaOps.Cli`<br>`src/Cli/StellaOps.Cli.Core`<br>`src/Cli/StellaOps.Cli.Plugins.*` | `docs/modules/cli/architecture.md` |
| UI / Console | `src/UI/StellaOps.UI` | `docs/modules/ui/architecture.md` |
| UI / Console | `src/Web/StellaOps.Web` | `docs/modules/ui/architecture.md` |
| Notify | `src/Notify/StellaOps.Notify.WebService`<br>`src/Notify/StellaOps.Notify.Worker` | `docs/modules/notify/architecture.md` |
| Export Center | `src/ExportCenter/StellaOps.ExportCenter.WebService`<br>`src/ExportCenter/StellaOps.ExportCenter.Worker` | `docs/modules/export-center/architecture.md` |
| Registry Token Service | `src/Registry/StellaOps.Registry.TokenService`<br>`src/Registry/__Tests/StellaOps.Registry.TokenService.Tests` | `docs/modules/registry/architecture.md` |

2
CLAUDE.md
View File

@@ -60,7 +60,7 @@ helm lint deploy/helm/stellaops
### Technology Stack
- **Runtime:** .NET 10 (`net10.0`) with latest C# preview features
- **Frontend:** Angular v17 (in `src/UI/StellaOps.UI`)
- **Frontend:** Angular v17 (in `src/Web/StellaOps.Web`)
- **Database:** PostgreSQL (≥16) with per-module schema isolation; see `docs/db/` for specification
- **Testing:** xUnit with Testcontainers (PostgreSQL), Moq, Microsoft.AspNetCore.Mvc.Testing
- **Observability:** Structured logging, OpenTelemetry traces

10
bench/findings/CVE-2015-7547-reachable/decision.dsse.json Normal file
View File

@@ -0,0 +1,10 @@
{
"payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpiZTMwNDMzZTE4OGEyNTg4NTY0NDYzMzZkYmIxMDk1OWJmYjRhYjM5NzQzODBhOGVhMTI2NDZiZjI2ODdiZjlhIiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL2dsaWJjLUNWRS0yMDIzLTQ5MTEtbG9vbmV5LXR1bmFibGVzQDEuMC4wIn1dLCJzdGF0dXMiOiJhZmZlY3RlZCIsInZ1bG5lcmFiaWxpdHkiOnsiQGlkIjoiaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLTIwMTUtNzU0NyIsIm5hbWUiOiJDVkUtMjAxNS03NTQ3In19XSwidGltZXN0YW1wIjoiMjAyNS0xMi0xNFQwMjoxMzozOFoiLCJ0b29saW5nIjoiU3RlbGxhT3BzL2JlbmNoLWF1dG9AMS4wLjAiLCJ2ZXJzaW9uIjoxfQ==",
"payloadType": "application/vnd.openvex+json",
"signatures": [
{
"keyid": "stella.ops/bench-automation@v1",
"sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
}
]
}

25
bench/findings/CVE-2015-7547-reachable/decision.openvex.json Normal file
View File

@@ -0,0 +1,25 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@type": "VEX",
"author": "StellaOps Bench Automation",
"role": "security_team",
"statements": [
{
"action_statement": "Upgrade to patched version or apply mitigation.",
"impact_statement": "Evidence hash: sha256:be30433e188a258856446336dbb10959bfb4ab3974380a8ea12646bf2687bf9a",
"products": [
{
"@id": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0"
}
],
"status": "affected",
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-2015-7547",
"name": "CVE-2015-7547"
}
}
],
"timestamp": "2025-12-14T02:13:38Z",
"tooling": "StellaOps/bench-auto@1.0.0",
"version": 1
}

25
bench/findings/CVE-2015-7547-reachable/evidence/reachability.json Normal file
View File

@@ -0,0 +1,25 @@
{
"case_id": "glibc-CVE-2023-4911-looney-tunables",
"generated_at": "2025-12-14T02:13:38Z",
"ground_truth": {
"case_id": "glibc-CVE-2023-4911-looney-tunables",
"paths": [
[
"sym://net:handler#read",
"sym://glibc:glibc.c#entry",
"sym://glibc:glibc.c#sink"
]
],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
},
"paths": [
[
"sym://net:handler#read",
"sym://glibc:glibc.c#entry",
"sym://glibc:glibc.c#sink"
]
],
"schema_version": "richgraph-excerpt/v1",
"variant": "reachable"
}

23
bench/findings/CVE-2015-7547-reachable/evidence/sbom.cdx.json Normal file
View File

@@ -0,0 +1,23 @@
{
"bomFormat": "CycloneDX",
"components": [
{
"name": "glibc-CVE-2023-4911-looney-tunables",
"purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
"type": "library",
"version": "1.0.0"
}
],
"metadata": {
"timestamp": "2025-12-14T02:13:38Z",
"tools": [
{
"name": "bench-auto",
"vendor": "StellaOps",
"version": "1.0.0"
}
]
},
"specVersion": "1.6",
"version": 1
}

11
bench/findings/CVE-2015-7547-reachable/metadata.json Normal file
View File

@@ -0,0 +1,11 @@
{
"case_id": "glibc-CVE-2023-4911-looney-tunables",
"cve_id": "CVE-2015-7547",
"generated_at": "2025-12-14T02:13:38Z",
"generator": "scripts/bench/populate-findings.py",
"generator_version": "1.0.0",
"ground_truth_schema": "reachbench.reachgraph.truth/v1",
"purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
"reachability_status": "reachable",
"variant": "reachable"
}

5
bench/findings/CVE-2015-7547-reachable/rekor.txt Normal file
View File

@@ -0,0 +1,5 @@
# Rekor log entry placeholder
# Submit DSSE envelope to Rekor to populate this file
log_index: PENDING
uuid: PENDING
timestamp: 2025-12-14T02:13:38Z

10
bench/findings/CVE-2015-7547-unreachable/decision.dsse.json Normal file
View File

@@ -0,0 +1,10 @@
{
"payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpjNDJlYzAxNGE0MmQwZTNmYjQzZWQ0ZGRhZDg5NTM4MjFlNDQ0NTcxMTlkYTY2ZGRiNDFhMzVhODAxYTNiNzI3IiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9nbGliYy1DVkUtMjAyMy00OTExLWxvb25leS10dW5hYmxlc0AxLjAuMCJ9XSwic3RhdHVzIjoibm90X2FmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAxNS03NTQ3IiwibmFtZSI6IkNWRS0yMDE1LTc1NDcifX1dLCJ0aW1lc3RhbXAiOiIyMDI1LTEyLTE0VDAyOjEzOjM4WiIsInRvb2xpbmciOiJTdGVsbGFPcHMvYmVuY2gtYXV0b0AxLjAuMCIsInZlcnNpb24iOjF9",
"payloadType": "application/vnd.openvex+json",
"signatures": [
{
"keyid": "stella.ops/bench-automation@v1",
"sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
}
]
}

25
bench/findings/CVE-2015-7547-unreachable/decision.openvex.json Normal file
View File

@@ -0,0 +1,25 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@type": "VEX",
"author": "StellaOps Bench Automation",
"role": "security_team",
"statements": [
{
"impact_statement": "Evidence hash: sha256:c42ec014a42d0e3fb43ed4ddad8953821e44457119da66ddb41a35a801a3b727",
"justification": "vulnerable_code_not_present",
"products": [
{
"@id": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0"
}
],
"status": "not_affected",
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-2015-7547",
"name": "CVE-2015-7547"
}
}
],
"timestamp": "2025-12-14T02:13:38Z",
"tooling": "StellaOps/bench-auto@1.0.0",
"version": 1
}

13
bench/findings/CVE-2015-7547-unreachable/evidence/reachability.json Normal file
View File

@@ -0,0 +1,13 @@
{
"case_id": "glibc-CVE-2023-4911-looney-tunables",
"generated_at": "2025-12-14T02:13:38Z",
"ground_truth": {
"case_id": "glibc-CVE-2023-4911-looney-tunables",
"paths": [],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "unreachable"
},
"paths": [],
"schema_version": "richgraph-excerpt/v1",
"variant": "unreachable"
}

23
bench/findings/CVE-2015-7547-unreachable/evidence/sbom.cdx.json Normal file
View File

@@ -0,0 +1,23 @@
{
"bomFormat": "CycloneDX",
"components": [
{
"name": "glibc-CVE-2023-4911-looney-tunables",
"purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
"type": "library",
"version": "1.0.0"
}
],
"metadata": {
"timestamp": "2025-12-14T02:13:38Z",
"tools": [
{
"name": "bench-auto",
"vendor": "StellaOps",
"version": "1.0.0"
}
]
},
"specVersion": "1.6",
"version": 1
}

11
bench/findings/CVE-2015-7547-unreachable/metadata.json Normal file
View File

@@ -0,0 +1,11 @@
{
"case_id": "glibc-CVE-2023-4911-looney-tunables",
"cve_id": "CVE-2015-7547",
"generated_at": "2025-12-14T02:13:38Z",
"generator": "scripts/bench/populate-findings.py",
"generator_version": "1.0.0",
"ground_truth_schema": "reachbench.reachgraph.truth/v1",
"purl": "pkg:generic/glibc-CVE-2023-4911-looney-tunables@1.0.0",
"reachability_status": "unreachable",
"variant": "unreachable"
}

5
bench/findings/CVE-2015-7547-unreachable/rekor.txt Normal file
View File

@@ -0,0 +1,5 @@
# Rekor log entry placeholder
# Submit DSSE envelope to Rekor to populate this file
log_index: PENDING
uuid: PENDING
timestamp: 2025-12-14T02:13:38Z

10
bench/findings/CVE-2022-3602-reachable/decision.dsse.json Normal file
View File

@@ -0,0 +1,10 @@
{
"payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjowMTQzMWZmMWVlZTc5OWM2ZmFkZDU5M2E3ZWMxOGVlMDk0Zjk4MzE0MDk2M2RhNmNiZmQ0YjdmMDZiYTBmOTcwIiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL29wZW5zc2wtQ1ZFLTIwMjItMzYwMi14NTA5LW5hbWUtY29uc3RyYWludHNAMS4wLjAifV0sInN0YXR1cyI6ImFmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMi0zNjAyIiwibmFtZSI6IkNWRS0yMDIyLTM2MDIifX1dLCJ0aW1lc3RhbXAiOiIyMDI1LTEyLTE0VDAyOjEzOjM4WiIsInRvb2xpbmciOiJTdGVsbGFPcHMvYmVuY2gtYXV0b0AxLjAuMCIsInZlcnNpb24iOjF9",
"payloadType": "application/vnd.openvex+json",
"signatures": [
{
"keyid": "stella.ops/bench-automation@v1",
"sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
}
]
}

25
bench/findings/CVE-2022-3602-reachable/decision.openvex.json Normal file
View File

@@ -0,0 +1,25 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@type": "VEX",
"author": "StellaOps Bench Automation",
"role": "security_team",
"statements": [
{
"action_statement": "Upgrade to patched version or apply mitigation.",
"impact_statement": "Evidence hash: sha256:01431ff1eee799c6fadd593a7ec18ee094f983140963da6cbfd4b7f06ba0f970",
"products": [
{
"@id": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0"
}
],
"status": "affected",
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-2022-3602",
"name": "CVE-2022-3602"
}
}
],
"timestamp": "2025-12-14T02:13:38Z",
"tooling": "StellaOps/bench-auto@1.0.0",
"version": 1
}

25
bench/findings/CVE-2022-3602-reachable/evidence/reachability.json Normal file
View File

@@ -0,0 +1,25 @@
{
"case_id": "openssl-CVE-2022-3602-x509-name-constraints",
"generated_at": "2025-12-14T02:13:38Z",
"ground_truth": {
"case_id": "openssl-CVE-2022-3602-x509-name-constraints",
"paths": [
[
"sym://net:handler#read",
"sym://openssl:openssl.c#entry",
"sym://openssl:openssl.c#sink"
]
],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
},
"paths": [
[
"sym://net:handler#read",
"sym://openssl:openssl.c#entry",
"sym://openssl:openssl.c#sink"
]
],
"schema_version": "richgraph-excerpt/v1",
"variant": "reachable"
}

23
bench/findings/CVE-2022-3602-reachable/evidence/sbom.cdx.json Normal file
View File

@@ -0,0 +1,23 @@
{
"bomFormat": "CycloneDX",
"components": [
{
"name": "openssl-CVE-2022-3602-x509-name-constraints",
"purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
"type": "library",
"version": "1.0.0"
}
],
"metadata": {
"timestamp": "2025-12-14T02:13:38Z",
"tools": [
{
"name": "bench-auto",
"vendor": "StellaOps",
"version": "1.0.0"
}
]
},
"specVersion": "1.6",
"version": 1
}

11
bench/findings/CVE-2022-3602-reachable/metadata.json Normal file
View File

@@ -0,0 +1,11 @@
{
"case_id": "openssl-CVE-2022-3602-x509-name-constraints",
"cve_id": "CVE-2022-3602",
"generated_at": "2025-12-14T02:13:38Z",
"generator": "scripts/bench/populate-findings.py",
"generator_version": "1.0.0",
"ground_truth_schema": "reachbench.reachgraph.truth/v1",
"purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
"reachability_status": "reachable",
"variant": "reachable"
}

5
bench/findings/CVE-2022-3602-reachable/rekor.txt Normal file
View File

@@ -0,0 +1,5 @@
# Rekor log entry placeholder
# Submit DSSE envelope to Rekor to populate this file
log_index: PENDING
uuid: PENDING
timestamp: 2025-12-14T02:13:38Z

10
bench/findings/CVE-2022-3602-unreachable/decision.dsse.json Normal file
View File

@@ -0,0 +1,10 @@
{
"payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpkOWJhZjRjNjQ3NDE4Nzc4NTUxYWZjNDM3NTJkZWY0NmQ0YWYyN2Q1MzEyMmU2YzQzNzVjMzUxMzU1YjEwYTMzIiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9vcGVuc3NsLUNWRS0yMDIyLTM2MDIteDUwOS1uYW1lLWNvbnN0cmFpbnRzQDEuMC4wIn1dLCJzdGF0dXMiOiJub3RfYWZmZWN0ZWQiLCJ2dWxuZXJhYmlsaXR5Ijp7IkBpZCI6Imh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIyLTM2MDIiLCJuYW1lIjoiQ1ZFLTIwMjItMzYwMiJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
"payloadType": "application/vnd.openvex+json",
"signatures": [
{
"keyid": "stella.ops/bench-automation@v1",
"sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
}
]
}

25
bench/findings/CVE-2022-3602-unreachable/decision.openvex.json Normal file
View File

@@ -0,0 +1,25 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@type": "VEX",
"author": "StellaOps Bench Automation",
"role": "security_team",
"statements": [
{
"impact_statement": "Evidence hash: sha256:d9baf4c647418778551afc43752def46d4af27d53122e6c4375c351355b10a33",
"justification": "vulnerable_code_not_present",
"products": [
{
"@id": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0"
}
],
"status": "not_affected",
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-2022-3602",
"name": "CVE-2022-3602"
}
}
],
"timestamp": "2025-12-14T02:13:38Z",
"tooling": "StellaOps/bench-auto@1.0.0",
"version": 1
}

13
bench/findings/CVE-2022-3602-unreachable/evidence/reachability.json Normal file
View File

@@ -0,0 +1,13 @@
{
"case_id": "openssl-CVE-2022-3602-x509-name-constraints",
"generated_at": "2025-12-14T02:13:38Z",
"ground_truth": {
"case_id": "openssl-CVE-2022-3602-x509-name-constraints",
"paths": [],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "unreachable"
},
"paths": [],
"schema_version": "richgraph-excerpt/v1",
"variant": "unreachable"
}

23
bench/findings/CVE-2022-3602-unreachable/evidence/sbom.cdx.json Normal file
View File

@@ -0,0 +1,23 @@
{
"bomFormat": "CycloneDX",
"components": [
{
"name": "openssl-CVE-2022-3602-x509-name-constraints",
"purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
"type": "library",
"version": "1.0.0"
}
],
"metadata": {
"timestamp": "2025-12-14T02:13:38Z",
"tools": [
{
"name": "bench-auto",
"vendor": "StellaOps",
"version": "1.0.0"
}
]
},
"specVersion": "1.6",
"version": 1
}

11
bench/findings/CVE-2022-3602-unreachable/metadata.json Normal file
View File

@@ -0,0 +1,11 @@
{
"case_id": "openssl-CVE-2022-3602-x509-name-constraints",
"cve_id": "CVE-2022-3602",
"generated_at": "2025-12-14T02:13:38Z",
"generator": "scripts/bench/populate-findings.py",
"generator_version": "1.0.0",
"ground_truth_schema": "reachbench.reachgraph.truth/v1",
"purl": "pkg:generic/openssl-CVE-2022-3602-x509-name-constraints@1.0.0",
"reachability_status": "unreachable",
"variant": "unreachable"
}

5
bench/findings/CVE-2022-3602-unreachable/rekor.txt Normal file
View File

@@ -0,0 +1,5 @@
# Rekor log entry placeholder
# Submit DSSE envelope to Rekor to populate this file
log_index: PENDING
uuid: PENDING
timestamp: 2025-12-14T02:13:38Z

10
bench/findings/CVE-2023-38545-reachable/decision.dsse.json Normal file
View File

@@ -0,0 +1,10 @@
{
"payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpmMWMxZmRiZTk1YjMyNTNiMTNjYTZjNzMzZWMwM2FkYTNlYTg3MWU2NmI1ZGRlZGJiNmMxNGI5ZGM2N2IwNzQ4IiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL2N1cmwtQ1ZFLTIwMjMtMzg1NDUtc29ja3M1LWhlYXBAMS4wLjAifV0sInN0YXR1cyI6ImFmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMy0zODU0NSIsIm5hbWUiOiJDVkUtMjAyMy0zODU0NSJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
"payloadType": "application/vnd.openvex+json",
"signatures": [
{
"keyid": "stella.ops/bench-automation@v1",
"sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
}
]
}

25
bench/findings/CVE-2023-38545-reachable/decision.openvex.json Normal file
View File

@@ -0,0 +1,25 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@type": "VEX",
"author": "StellaOps Bench Automation",
"role": "security_team",
"statements": [
{
"action_statement": "Upgrade to patched version or apply mitigation.",
"impact_statement": "Evidence hash: sha256:f1c1fdbe95b3253b13ca6c733ec03ada3ea871e66b5ddedbb6c14b9dc67b0748",
"products": [
{
"@id": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0"
}
],
"status": "affected",
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-2023-38545",
"name": "CVE-2023-38545"
}
}
],
"timestamp": "2025-12-14T02:13:38Z",
"tooling": "StellaOps/bench-auto@1.0.0",
"version": 1
}

25
bench/findings/CVE-2023-38545-reachable/evidence/reachability.json Normal file
View File

@@ -0,0 +1,25 @@
{
"case_id": "curl-CVE-2023-38545-socks5-heap",
"generated_at": "2025-12-14T02:13:38Z",
"ground_truth": {
"case_id": "curl-CVE-2023-38545-socks5-heap",
"paths": [
[
"sym://net:handler#read",
"sym://curl:curl.c#entry",
"sym://curl:curl.c#sink"
]
],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
},
"paths": [
[
"sym://net:handler#read",
"sym://curl:curl.c#entry",
"sym://curl:curl.c#sink"
]
],
"schema_version": "richgraph-excerpt/v1",
"variant": "reachable"
}

23
bench/findings/CVE-2023-38545-reachable/evidence/sbom.cdx.json Normal file
View File

@@ -0,0 +1,23 @@
{
"bomFormat": "CycloneDX",
"components": [
{
"name": "curl-CVE-2023-38545-socks5-heap",
"purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
"type": "library",
"version": "1.0.0"
}
],
"metadata": {
"timestamp": "2025-12-14T02:13:38Z",
"tools": [
{
"name": "bench-auto",
"vendor": "StellaOps",
"version": "1.0.0"
}
]
},
"specVersion": "1.6",
"version": 1
}

11
bench/findings/CVE-2023-38545-reachable/metadata.json Normal file
View File

@@ -0,0 +1,11 @@
{
"case_id": "curl-CVE-2023-38545-socks5-heap",
"cve_id": "CVE-2023-38545",
"generated_at": "2025-12-14T02:13:38Z",
"generator": "scripts/bench/populate-findings.py",
"generator_version": "1.0.0",
"ground_truth_schema": "reachbench.reachgraph.truth/v1",
"purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
"reachability_status": "reachable",
"variant": "reachable"
}

5
bench/findings/CVE-2023-38545-reachable/rekor.txt Normal file
View File

@@ -0,0 +1,5 @@
# Rekor log entry placeholder
# Submit DSSE envelope to Rekor to populate this file
log_index: PENDING
uuid: PENDING
timestamp: 2025-12-14T02:13:38Z

10
bench/findings/CVE-2023-38545-unreachable/decision.dsse.json Normal file
View File

@@ -0,0 +1,10 @@
{
"payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjplNGIxOTk0ZTU5NDEwNTYyZjQwYWI0YTVmZTIzNjM4YzExZTU4MTdiYjcwMDM5M2VkOTlmMjBkM2M5ZWY5ZmEwIiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9jdXJsLUNWRS0yMDIzLTM4NTQ1LXNvY2tzNS1oZWFwQDEuMC4wIn1dLCJzdGF0dXMiOiJub3RfYWZmZWN0ZWQiLCJ2dWxuZXJhYmlsaXR5Ijp7IkBpZCI6Imh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIzLTM4NTQ1IiwibmFtZSI6IkNWRS0yMDIzLTM4NTQ1In19XSwidGltZXN0YW1wIjoiMjAyNS0xMi0xNFQwMjoxMzozOFoiLCJ0b29saW5nIjoiU3RlbGxhT3BzL2JlbmNoLWF1dG9AMS4wLjAiLCJ2ZXJzaW9uIjoxfQ==",
"payloadType": "application/vnd.openvex+json",
"signatures": [
{
"keyid": "stella.ops/bench-automation@v1",
"sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
}
]
}

25
bench/findings/CVE-2023-38545-unreachable/decision.openvex.json Normal file
View File

@@ -0,0 +1,25 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@type": "VEX",
"author": "StellaOps Bench Automation",
"role": "security_team",
"statements": [
{
"impact_statement": "Evidence hash: sha256:e4b1994e59410562f40ab4a5fe23638c11e5817bb700393ed99f20d3c9ef9fa0",
"justification": "vulnerable_code_not_present",
"products": [
{
"@id": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0"
}
],
"status": "not_affected",
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-2023-38545",
"name": "CVE-2023-38545"
}
}
],
"timestamp": "2025-12-14T02:13:38Z",
"tooling": "StellaOps/bench-auto@1.0.0",
"version": 1
}

13
bench/findings/CVE-2023-38545-unreachable/evidence/reachability.json Normal file
View File

@@ -0,0 +1,13 @@
{
"case_id": "curl-CVE-2023-38545-socks5-heap",
"generated_at": "2025-12-14T02:13:38Z",
"ground_truth": {
"case_id": "curl-CVE-2023-38545-socks5-heap",
"paths": [],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "unreachable"
},
"paths": [],
"schema_version": "richgraph-excerpt/v1",
"variant": "unreachable"
}

23
bench/findings/CVE-2023-38545-unreachable/evidence/sbom.cdx.json Normal file
View File

@@ -0,0 +1,23 @@
{
"bomFormat": "CycloneDX",
"components": [
{
"name": "curl-CVE-2023-38545-socks5-heap",
"purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
"type": "library",
"version": "1.0.0"
}
],
"metadata": {
"timestamp": "2025-12-14T02:13:38Z",
"tools": [
{
"name": "bench-auto",
"vendor": "StellaOps",
"version": "1.0.0"
}
]
},
"specVersion": "1.6",
"version": 1
}

11
bench/findings/CVE-2023-38545-unreachable/metadata.json Normal file
View File

@@ -0,0 +1,11 @@
{
"case_id": "curl-CVE-2023-38545-socks5-heap",
"cve_id": "CVE-2023-38545",
"generated_at": "2025-12-14T02:13:38Z",
"generator": "scripts/bench/populate-findings.py",
"generator_version": "1.0.0",
"ground_truth_schema": "reachbench.reachgraph.truth/v1",
"purl": "pkg:generic/curl-CVE-2023-38545-socks5-heap@1.0.0",
"reachability_status": "unreachable",
"variant": "unreachable"
}

5
bench/findings/CVE-2023-38545-unreachable/rekor.txt Normal file
View File

@@ -0,0 +1,5 @@
# Rekor log entry placeholder
# Submit DSSE envelope to Rekor to populate this file
log_index: PENDING
uuid: PENDING
timestamp: 2025-12-14T02:13:38Z

10
bench/findings/CVE-BENCH-LINUX-CG-reachable/decision.dsse.json Normal file
View File

@@ -0,0 +1,10 @@
{
"payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjoxNTRiYTZlMzU5YzA5NTQ1NzhhOTU2MDM2N2YxY2JhYzFjMTUzZTVkNWRmOTNjMmI5MjljZDM4NzkyYTIxN2JiIiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL2xpbnV4LWNncm91cHMtQ1ZFLTIwMjItMDQ5Mi1yZWxlYXNlX2FnZW50QDEuMC4wIn1dLCJzdGF0dXMiOiJhZmZlY3RlZCIsInZ1bG5lcmFiaWxpdHkiOnsiQGlkIjoiaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLUJFTkNILUxJTlVYLUNHIiwibmFtZSI6IkNWRS1CRU5DSC1MSU5VWC1DRyJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
"payloadType": "application/vnd.openvex+json",
"signatures": [
{
"keyid": "stella.ops/bench-automation@v1",
"sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
}
]
}

25
bench/findings/CVE-BENCH-LINUX-CG-reachable/decision.openvex.json Normal file
View File

@@ -0,0 +1,25 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@type": "VEX",
"author": "StellaOps Bench Automation",
"role": "security_team",
"statements": [
{
"action_statement": "Upgrade to patched version or apply mitigation.",
"impact_statement": "Evidence hash: sha256:154ba6e359c0954578a9560367f1cbac1c153e5d5df93c2b929cd38792a217bb",
"products": [
{
"@id": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0"
}
],
"status": "affected",
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-BENCH-LINUX-CG",
"name": "CVE-BENCH-LINUX-CG"
}
}
],
"timestamp": "2025-12-14T02:13:38Z",
"tooling": "StellaOps/bench-auto@1.0.0",
"version": 1
}

25
bench/findings/CVE-BENCH-LINUX-CG-reachable/evidence/reachability.json Normal file
View File

@@ -0,0 +1,25 @@
{
"case_id": "linux-cgroups-CVE-2022-0492-release_agent",
"generated_at": "2025-12-14T02:13:38Z",
"ground_truth": {
"case_id": "linux-cgroups-CVE-2022-0492-release_agent",
"paths": [
[
"sym://net:handler#read",
"sym://linux:linux.c#entry",
"sym://linux:linux.c#sink"
]
],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
},
"paths": [
[
"sym://net:handler#read",
"sym://linux:linux.c#entry",
"sym://linux:linux.c#sink"
]
],
"schema_version": "richgraph-excerpt/v1",
"variant": "reachable"
}

23
bench/findings/CVE-BENCH-LINUX-CG-reachable/evidence/sbom.cdx.json Normal file
View File

@@ -0,0 +1,23 @@
{
"bomFormat": "CycloneDX",
"components": [
{
"name": "linux-cgroups-CVE-2022-0492-release_agent",
"purl": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0",
"type": "library",
"version": "1.0.0"
}
],
"metadata": {
"timestamp": "2025-12-14T02:13:38Z",
"tools": [
{
"name": "bench-auto",
"vendor": "StellaOps",
"version": "1.0.0"
}
]
},
"specVersion": "1.6",
"version": 1
}

11
bench/findings/CVE-BENCH-LINUX-CG-reachable/metadata.json Normal file
View File

@@ -0,0 +1,11 @@
{
"case_id": "linux-cgroups-CVE-2022-0492-release_agent",
"cve_id": "CVE-BENCH-LINUX-CG",
"generated_at": "2025-12-14T02:13:38Z",
"generator": "scripts/bench/populate-findings.py",
"generator_version": "1.0.0",
"ground_truth_schema": "reachbench.reachgraph.truth/v1",
"purl": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0",
"reachability_status": "reachable",
"variant": "reachable"
}

5
bench/findings/CVE-BENCH-LINUX-CG-reachable/rekor.txt Normal file
View File

@@ -0,0 +1,5 @@
# Rekor log entry placeholder
# Submit DSSE envelope to Rekor to populate this file
log_index: PENDING
uuid: PENDING
timestamp: 2025-12-14T02:13:38Z

10
bench/findings/CVE-BENCH-LINUX-CG-unreachable/decision.dsse.json Normal file
View File

@@ -0,0 +1,10 @@
{
"payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpjOTUwNmRhMjc0YTdkNmJmZGJiZmE0NmVjMjZkZWNmNWQ2YjcxZmFhNDA0MjY5MzZkM2NjYmFlNjQxNjJkMWE2IiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9saW51eC1jZ3JvdXBzLUNWRS0yMDIyLTA0OTItcmVsZWFzZV9hZ2VudEAxLjAuMCJ9XSwic3RhdHVzIjoibm90X2FmZmVjdGVkIiwidnVsbmVyYWJpbGl0eSI6eyJAaWQiOiJodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtQkVOQ0gtTElOVVgtQ0ciLCJuYW1lIjoiQ1ZFLUJFTkNILUxJTlVYLUNHIn19XSwidGltZXN0YW1wIjoiMjAyNS0xMi0xNFQwMjoxMzozOFoiLCJ0b29saW5nIjoiU3RlbGxhT3BzL2JlbmNoLWF1dG9AMS4wLjAiLCJ2ZXJzaW9uIjoxfQ==",
"payloadType": "application/vnd.openvex+json",
"signatures": [
{
"keyid": "stella.ops/bench-automation@v1",
"sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
}
]
}

25
bench/findings/CVE-BENCH-LINUX-CG-unreachable/decision.openvex.json Normal file
View File

@@ -0,0 +1,25 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@type": "VEX",
"author": "StellaOps Bench Automation",
"role": "security_team",
"statements": [
{
"impact_statement": "Evidence hash: sha256:c9506da274a7d6bfdbbfa46ec26decf5d6b71faa40426936d3ccbae64162d1a6",
"justification": "vulnerable_code_not_present",
"products": [
{
"@id": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0"
}
],
"status": "not_affected",
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-BENCH-LINUX-CG",
"name": "CVE-BENCH-LINUX-CG"
}
}
],
"timestamp": "2025-12-14T02:13:38Z",
"tooling": "StellaOps/bench-auto@1.0.0",
"version": 1
}

13
bench/findings/CVE-BENCH-LINUX-CG-unreachable/evidence/reachability.json Normal file
View File

@@ -0,0 +1,13 @@
{
"case_id": "linux-cgroups-CVE-2022-0492-release_agent",
"generated_at": "2025-12-14T02:13:38Z",
"ground_truth": {
"case_id": "linux-cgroups-CVE-2022-0492-release_agent",
"paths": [],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "unreachable"
},
"paths": [],
"schema_version": "richgraph-excerpt/v1",
"variant": "unreachable"
}

23
bench/findings/CVE-BENCH-LINUX-CG-unreachable/evidence/sbom.cdx.json Normal file
View File

@@ -0,0 +1,23 @@
{
"bomFormat": "CycloneDX",
"components": [
{
"name": "linux-cgroups-CVE-2022-0492-release_agent",
"purl": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0",
"type": "library",
"version": "1.0.0"
}
],
"metadata": {
"timestamp": "2025-12-14T02:13:38Z",
"tools": [
{
"name": "bench-auto",
"vendor": "StellaOps",
"version": "1.0.0"
}
]
},
"specVersion": "1.6",
"version": 1
}

11
bench/findings/CVE-BENCH-LINUX-CG-unreachable/metadata.json Normal file
View File

@@ -0,0 +1,11 @@
{
"case_id": "linux-cgroups-CVE-2022-0492-release_agent",
"cve_id": "CVE-BENCH-LINUX-CG",
"generated_at": "2025-12-14T02:13:38Z",
"generator": "scripts/bench/populate-findings.py",
"generator_version": "1.0.0",
"ground_truth_schema": "reachbench.reachgraph.truth/v1",
"purl": "pkg:generic/linux-cgroups-CVE-2022-0492-release_agent@1.0.0",
"reachability_status": "unreachable",
"variant": "unreachable"
}

5
bench/findings/CVE-BENCH-LINUX-CG-unreachable/rekor.txt Normal file
View File

@@ -0,0 +1,5 @@
# Rekor log entry placeholder
# Submit DSSE envelope to Rekor to populate this file
log_index: PENDING
uuid: PENDING
timestamp: 2025-12-14T02:13:38Z

10
bench/findings/CVE-BENCH-RUNC-CVE-reachable/decision.dsse.json Normal file
View File

@@ -0,0 +1,10 @@
{
"payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpjNDRmYjJlMmVmYjc5Yzc4YmJhYTZhOGUyYzZiYjM4MzE3ODJhMmQ1MzU4ZGU4N2ZjN2QxNzEwMmU4YzJlMzA1IiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL3J1bmMtQ1ZFLTIwMjQtMjE2MjYtc3ltbGluay1icmVha291dEAxLjAuMCJ9XSwic3RhdHVzIjoiYWZmZWN0ZWQiLCJ2dWxuZXJhYmlsaXR5Ijp7IkBpZCI6Imh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS1CRU5DSC1SVU5DLUNWRSIsIm5hbWUiOiJDVkUtQkVOQ0gtUlVOQy1DVkUifX1dLCJ0aW1lc3RhbXAiOiIyMDI1LTEyLTE0VDAyOjEzOjM4WiIsInRvb2xpbmciOiJTdGVsbGFPcHMvYmVuY2gtYXV0b0AxLjAuMCIsInZlcnNpb24iOjF9",
"payloadType": "application/vnd.openvex+json",
"signatures": [
{
"keyid": "stella.ops/bench-automation@v1",
"sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
}
]
}

25
bench/findings/CVE-BENCH-RUNC-CVE-reachable/decision.openvex.json Normal file
View File

@@ -0,0 +1,25 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@type": "VEX",
"author": "StellaOps Bench Automation",
"role": "security_team",
"statements": [
{
"action_statement": "Upgrade to patched version or apply mitigation.",
"impact_statement": "Evidence hash: sha256:c44fb2e2efb79c78bbaa6a8e2c6bb3831782a2d5358de87fc7d17102e8c2e305",
"products": [
{
"@id": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0"
}
],
"status": "affected",
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-BENCH-RUNC-CVE",
"name": "CVE-BENCH-RUNC-CVE"
}
}
],
"timestamp": "2025-12-14T02:13:38Z",
"tooling": "StellaOps/bench-auto@1.0.0",
"version": 1
}

25
bench/findings/CVE-BENCH-RUNC-CVE-reachable/evidence/reachability.json Normal file
View File

@@ -0,0 +1,25 @@
{
"case_id": "runc-CVE-2024-21626-symlink-breakout",
"generated_at": "2025-12-14T02:13:38Z",
"ground_truth": {
"case_id": "runc-CVE-2024-21626-symlink-breakout",
"paths": [
[
"sym://net:handler#read",
"sym://runc:runc.c#entry",
"sym://runc:runc.c#sink"
]
],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
},
"paths": [
[
"sym://net:handler#read",
"sym://runc:runc.c#entry",
"sym://runc:runc.c#sink"
]
],
"schema_version": "richgraph-excerpt/v1",
"variant": "reachable"
}

23
bench/findings/CVE-BENCH-RUNC-CVE-reachable/evidence/sbom.cdx.json Normal file
View File

@@ -0,0 +1,23 @@
{
"bomFormat": "CycloneDX",
"components": [
{
"name": "runc-CVE-2024-21626-symlink-breakout",
"purl": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0",
"type": "library",
"version": "1.0.0"
}
],
"metadata": {
"timestamp": "2025-12-14T02:13:38Z",
"tools": [
{
"name": "bench-auto",
"vendor": "StellaOps",
"version": "1.0.0"
}
]
},
"specVersion": "1.6",
"version": 1
}

11
bench/findings/CVE-BENCH-RUNC-CVE-reachable/metadata.json Normal file
View File

@@ -0,0 +1,11 @@
{
"case_id": "runc-CVE-2024-21626-symlink-breakout",
"cve_id": "CVE-BENCH-RUNC-CVE",
"generated_at": "2025-12-14T02:13:38Z",
"generator": "scripts/bench/populate-findings.py",
"generator_version": "1.0.0",
"ground_truth_schema": "reachbench.reachgraph.truth/v1",
"purl": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0",
"reachability_status": "reachable",
"variant": "reachable"
}

5
bench/findings/CVE-BENCH-RUNC-CVE-reachable/rekor.txt Normal file
View File

@@ -0,0 +1,5 @@
# Rekor log entry placeholder
# Submit DSSE envelope to Rekor to populate this file
log_index: PENDING
uuid: PENDING
timestamp: 2025-12-14T02:13:38Z

10
bench/findings/CVE-BENCH-RUNC-CVE-unreachable/decision.dsse.json Normal file
View File

@@ -0,0 +1,10 @@
{
"payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1Njo5ZmU0MDUxMTlmYWY4MDFmYjZkYzFhZDA0Nzk2MWE3OTBjOGQwZWY1NDQ5ZTQ4MTJiYzhkYzU5YTY2MTFiNjljIiwianVzdGlmaWNhdGlvbiI6InZ1bG5lcmFibGVfY29kZV9ub3RfcHJlc2VudCIsInByb2R1Y3RzIjpbeyJAaWQiOiJwa2c6Z2VuZXJpYy9ydW5jLUNWRS0yMDI0LTIxNjI2LXN5bWxpbmstYnJlYWtvdXRAMS4wLjAifV0sInN0YXR1cyI6Im5vdF9hZmZlY3RlZCIsInZ1bG5lcmFiaWxpdHkiOnsiQGlkIjoiaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLUJFTkNILVJVTkMtQ1ZFIiwibmFtZSI6IkNWRS1CRU5DSC1SVU5DLUNWRSJ9fV0sInRpbWVzdGFtcCI6IjIwMjUtMTItMTRUMDI6MTM6MzhaIiwidG9vbGluZyI6IlN0ZWxsYU9wcy9iZW5jaC1hdXRvQDEuMC4wIiwidmVyc2lvbiI6MX0=",
"payloadType": "application/vnd.openvex+json",
"signatures": [
{
"keyid": "stella.ops/bench-automation@v1",
"sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
}
]
}

25
bench/findings/CVE-BENCH-RUNC-CVE-unreachable/decision.openvex.json Normal file
View File

@@ -0,0 +1,25 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@type": "VEX",
"author": "StellaOps Bench Automation",
"role": "security_team",
"statements": [
{
"impact_statement": "Evidence hash: sha256:9fe405119faf801fb6dc1ad047961a790c8d0ef5449e4812bc8dc59a6611b69c",
"justification": "vulnerable_code_not_present",
"products": [
{
"@id": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0"
}
],
"status": "not_affected",
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-BENCH-RUNC-CVE",
"name": "CVE-BENCH-RUNC-CVE"
}
}
],
"timestamp": "2025-12-14T02:13:38Z",
"tooling": "StellaOps/bench-auto@1.0.0",
"version": 1
}

13
bench/findings/CVE-BENCH-RUNC-CVE-unreachable/evidence/reachability.json Normal file
View File

@@ -0,0 +1,13 @@
{
"case_id": "runc-CVE-2024-21626-symlink-breakout",
"generated_at": "2025-12-14T02:13:38Z",
"ground_truth": {
"case_id": "runc-CVE-2024-21626-symlink-breakout",
"paths": [],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "unreachable"
},
"paths": [],
"schema_version": "richgraph-excerpt/v1",
"variant": "unreachable"
}

23
bench/findings/CVE-BENCH-RUNC-CVE-unreachable/evidence/sbom.cdx.json Normal file
View File

@@ -0,0 +1,23 @@
{
"bomFormat": "CycloneDX",
"components": [
{
"name": "runc-CVE-2024-21626-symlink-breakout",
"purl": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0",
"type": "library",
"version": "1.0.0"
}
],
"metadata": {
"timestamp": "2025-12-14T02:13:38Z",
"tools": [
{
"name": "bench-auto",
"vendor": "StellaOps",
"version": "1.0.0"
}
]
},
"specVersion": "1.6",
"version": 1
}

11
bench/findings/CVE-BENCH-RUNC-CVE-unreachable/metadata.json Normal file
View File

@@ -0,0 +1,11 @@
{
"case_id": "runc-CVE-2024-21626-symlink-breakout",
"cve_id": "CVE-BENCH-RUNC-CVE",
"generated_at": "2025-12-14T02:13:38Z",
"generator": "scripts/bench/populate-findings.py",
"generator_version": "1.0.0",
"ground_truth_schema": "reachbench.reachgraph.truth/v1",
"purl": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0",
"reachability_status": "unreachable",
"variant": "unreachable"
}

5
bench/findings/CVE-BENCH-RUNC-CVE-unreachable/rekor.txt Normal file
View File

@@ -0,0 +1,5 @@
# Rekor log entry placeholder
# Submit DSSE envelope to Rekor to populate this file
log_index: PENDING
uuid: PENDING
timestamp: 2025-12-14T02:13:38Z

107
bench/results/metrics.json Normal file
View File

@@ -0,0 +1,107 @@
{
"comparison": {
"stellaops": {
"accuracy": 1.0,
"f1_score": 1.0,
"false_positive_rate": 0.0,
"precision": 1.0,
"recall": 1.0
}
},
"findings": [
{
"cve_id": "CVE-2015-7547",
"evidence_hash": "sha256:be30433e188a258856446336dbb10959bfb4ab3974380a8ea12646bf2687bf9a",
"finding_id": "CVE-2015-7547-reachable",
"is_correct": true,
"variant": "reachable",
"vex_status": "affected"
},
{
"cve_id": "CVE-2015-7547",
"evidence_hash": "sha256:c42ec014a42d0e3fb43ed4ddad8953821e44457119da66ddb41a35a801a3b727",
"finding_id": "CVE-2015-7547-unreachable",
"is_correct": true,
"variant": "unreachable",
"vex_status": "not_affected"
},
{
"cve_id": "CVE-2022-3602",
"evidence_hash": "sha256:01431ff1eee799c6fadd593a7ec18ee094f983140963da6cbfd4b7f06ba0f970",
"finding_id": "CVE-2022-3602-reachable",
"is_correct": true,
"variant": "reachable",
"vex_status": "affected"
},
{
"cve_id": "CVE-2022-3602",
"evidence_hash": "sha256:d9baf4c647418778551afc43752def46d4af27d53122e6c4375c351355b10a33",
"finding_id": "CVE-2022-3602-unreachable",
"is_correct": true,
"variant": "unreachable",
"vex_status": "not_affected"
},
{
"cve_id": "CVE-2023-38545",
"evidence_hash": "sha256:f1c1fdbe95b3253b13ca6c733ec03ada3ea871e66b5ddedbb6c14b9dc67b0748",
"finding_id": "CVE-2023-38545-reachable",
"is_correct": true,
"variant": "reachable",
"vex_status": "affected"
},
{
"cve_id": "CVE-2023-38545",
"evidence_hash": "sha256:e4b1994e59410562f40ab4a5fe23638c11e5817bb700393ed99f20d3c9ef9fa0",
"finding_id": "CVE-2023-38545-unreachable",
"is_correct": true,
"variant": "unreachable",
"vex_status": "not_affected"
},
{
"cve_id": "CVE-BENCH-LINUX-CG",
"evidence_hash": "sha256:154ba6e359c0954578a9560367f1cbac1c153e5d5df93c2b929cd38792a217bb",
"finding_id": "CVE-BENCH-LINUX-CG-reachable",
"is_correct": true,
"variant": "reachable",
"vex_status": "affected"
},
{
"cve_id": "CVE-BENCH-LINUX-CG",
"evidence_hash": "sha256:c9506da274a7d6bfdbbfa46ec26decf5d6b71faa40426936d3ccbae64162d1a6",
"finding_id": "CVE-BENCH-LINUX-CG-unreachable",
"is_correct": true,
"variant": "unreachable",
"vex_status": "not_affected"
},
{
"cve_id": "CVE-BENCH-RUNC-CVE",
"evidence_hash": "sha256:c44fb2e2efb79c78bbaa6a8e2c6bb3831782a2d5358de87fc7d17102e8c2e305",
"finding_id": "CVE-BENCH-RUNC-CVE-reachable",
"is_correct": true,
"variant": "reachable",
"vex_status": "affected"
},
{
"cve_id": "CVE-BENCH-RUNC-CVE",
"evidence_hash": "sha256:9fe405119faf801fb6dc1ad047961a790c8d0ef5449e4812bc8dc59a6611b69c",
"finding_id": "CVE-BENCH-RUNC-CVE-unreachable",
"is_correct": true,
"variant": "unreachable",
"vex_status": "not_affected"
}
],
"generated_at": "2025-12-14T02:13:46Z",
"summary": {
"accuracy": 1.0,
"f1_score": 1.0,
"false_negatives": 0,
"false_positives": 0,
"mttd_ms": 0.0,
"precision": 1.0,
"recall": 1.0,
"reproducibility": 1.0,
"total_findings": 10,
"true_negatives": 5,
"true_positives": 5
}
}

2
bench/results/summary.csv Normal file
View File

@@ -0,0 +1,2 @@
timestamp,total_findings,true_positives,false_positives,true_negatives,false_negatives,precision,recall,f1_score,accuracy,mttd_ms,reproducibility
2025-12-14T02:13:46Z,10,5,0,5,0,1.0000,1.0000,1.0000,1.0000,0.00,1.0000
1 timestamp total_findings true_positives false_positives true_negatives false_negatives precision recall f1_score accuracy mttd_ms reproducibility
2 2025-12-14T02:13:46Z 10 5 0 5 0 1.0000 1.0000 1.0000 1.0000 0.00 1.0000

338
bench/tools/compare.py Normal file
View File

@@ -0,0 +1,338 @@
#!/usr/bin/env python3
# SPDX-License-Identifier: AGPL-3.0-or-later
# BENCH-AUTO-401-019: Baseline scanner comparison script
"""
Compare StellaOps findings against baseline scanner results.
Generates comparison metrics:
- True positives (reachability-confirmed)
- False positives (unreachable code paths)
- MTTD (mean time to detect)
- Reproducibility score
Usage:
python bench/tools/compare.py --stellaops PATH --baseline PATH --output PATH
"""
import argparse
import csv
import json
import sys
from dataclasses import dataclass, field
from datetime import datetime, timezone
from pathlib import Path
from typing import Any
@dataclass
class Finding:
"""A vulnerability finding."""
cve_id: str
purl: str
status: str # affected, not_affected
reachability: str # reachable, unreachable, unknown
source: str # stellaops, baseline
detected_at: str = ""
evidence_hash: str = ""
@dataclass
class ComparisonResult:
"""Result of comparing two findings."""
cve_id: str
purl: str
stellaops_status: str
baseline_status: str
agreement: bool
stellaops_reachability: str
notes: str = ""
def load_stellaops_findings(findings_dir: Path) -> list[Finding]:
"""Load StellaOps findings from bench/findings directory."""
findings = []
if not findings_dir.exists():
return findings
for finding_dir in sorted(findings_dir.iterdir()):
if not finding_dir.is_dir():
continue
metadata_path = finding_dir / "metadata.json"
openvex_path = finding_dir / "decision.openvex.json"
if not metadata_path.exists() or not openvex_path.exists():
continue
with open(metadata_path, 'r', encoding='utf-8') as f:
metadata = json.load(f)
with open(openvex_path, 'r', encoding='utf-8') as f:
openvex = json.load(f)
statements = openvex.get("statements", [])
if not statements:
continue
stmt = statements[0]
products = stmt.get("products", [])
purl = products[0].get("@id", "") if products else ""
findings.append(Finding(
cve_id=metadata.get("cve_id", ""),
purl=purl,
status=stmt.get("status", "unknown"),
reachability=metadata.get("variant", "unknown"),
source="stellaops",
detected_at=openvex.get("timestamp", ""),
evidence_hash=metadata.get("evidence_hash", "")
))
return findings
def load_baseline_findings(baseline_path: Path) -> list[Finding]:
"""Load baseline scanner findings from JSON file."""
findings = []
if not baseline_path.exists():
return findings
with open(baseline_path, 'r', encoding='utf-8') as f:
data = json.load(f)
# Support multiple baseline formats
vulns = data.get("vulnerabilities", data.get("findings", data.get("results", [])))
for vuln in vulns:
cve_id = vuln.get("cve_id", vuln.get("id", vuln.get("vulnerability_id", "")))
purl = vuln.get("purl", vuln.get("package_url", ""))
# Map baseline status to our normalized form
raw_status = vuln.get("status", vuln.get("severity", ""))
if raw_status.lower() in ["affected", "vulnerable", "high", "critical", "medium"]:
status = "affected"
elif raw_status.lower() in ["not_affected", "fixed", "not_vulnerable"]:
status = "not_affected"
else:
status = "unknown"
findings.append(Finding(
cve_id=cve_id,
purl=purl,
status=status,
reachability="unknown", # Baseline scanners typically don't have reachability
source="baseline"
))
return findings
def compare_findings(
stellaops: list[Finding],
baseline: list[Finding]
) -> list[ComparisonResult]:
"""Compare StellaOps findings with baseline."""
results = []
# Index baseline by CVE+purl
baseline_index = {}
for f in baseline:
key = (f.cve_id, f.purl)
baseline_index[key] = f
# Compare each StellaOps finding
for sf in stellaops:
key = (sf.cve_id, sf.purl)
bf = baseline_index.get(key)
if bf:
agreement = sf.status == bf.status
notes = ""
if agreement and sf.status == "not_affected":
notes = "Both agree: not affected"
elif agreement and sf.status == "affected":
notes = "Both agree: affected"
elif sf.status == "not_affected" and bf.status == "affected":
if sf.reachability == "unreachable":
notes = "FP reduction: StellaOps correctly identified unreachable code"
else:
notes = "Disagreement: investigate"
elif sf.status == "affected" and bf.status == "not_affected":
notes = "StellaOps detected, baseline missed"
results.append(ComparisonResult(
cve_id=sf.cve_id,
purl=sf.purl,
stellaops_status=sf.status,
baseline_status=bf.status,
agreement=agreement,
stellaops_reachability=sf.reachability,
notes=notes
))
else:
# StellaOps found something baseline didn't
results.append(ComparisonResult(
cve_id=sf.cve_id,
purl=sf.purl,
stellaops_status=sf.status,
baseline_status="not_found",
agreement=False,
stellaops_reachability=sf.reachability,
notes="Only found by StellaOps"
))
# Find baseline-only findings
stellaops_keys = {(f.cve_id, f.purl) for f in stellaops}
for bf in baseline:
key = (bf.cve_id, bf.purl)
if key not in stellaops_keys:
results.append(ComparisonResult(
cve_id=bf.cve_id,
purl=bf.purl,
stellaops_status="not_found",
baseline_status=bf.status,
agreement=False,
stellaops_reachability="unknown",
notes="Only found by baseline"
))
return results
def compute_comparison_metrics(results: list[ComparisonResult]) -> dict:
"""Compute comparison metrics."""
total = len(results)
agreements = sum(1 for r in results if r.agreement)
fp_reductions = sum(1 for r in results if r.notes and "FP reduction" in r.notes)
stellaops_only = sum(1 for r in results if "Only found by StellaOps" in r.notes)
baseline_only = sum(1 for r in results if "Only found by baseline" in r.notes)
return {
"total_comparisons": total,
"agreements": agreements,
"agreement_rate": agreements / total if total > 0 else 0,
"fp_reductions": fp_reductions,
"stellaops_unique": stellaops_only,
"baseline_unique": baseline_only,
"generated_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
}
def write_comparison_csv(results: list[ComparisonResult], output_path: Path):
"""Write comparison results to CSV."""
output_path.parent.mkdir(parents=True, exist_ok=True)
with open(output_path, 'w', newline='', encoding='utf-8') as f:
writer = csv.writer(f)
writer.writerow([
"cve_id",
"purl",
"stellaops_status",
"baseline_status",
"agreement",
"reachability",
"notes"
])
for r in results:
writer.writerow([
r.cve_id,
r.purl,
r.stellaops_status,
r.baseline_status,
"yes" if r.agreement else "no",
r.stellaops_reachability,
r.notes
])
def main():
parser = argparse.ArgumentParser(
description="Compare StellaOps findings against baseline scanner"
)
parser.add_argument(
"--stellaops",
type=Path,
default=Path("bench/findings"),
help="Path to StellaOps findings directory"
)
parser.add_argument(
"--baseline",
type=Path,
required=True,
help="Path to baseline scanner results JSON"
)
parser.add_argument(
"--output",
type=Path,
default=Path("bench/results/comparison.csv"),
help="Output CSV path"
)
parser.add_argument(
"--json",
action="store_true",
help="Also output JSON summary"
)
args = parser.parse_args()
# Resolve paths
repo_root = Path(__file__).parent.parent.parent
stellaops_path = args.stellaops if args.stellaops.is_absolute() else repo_root / args.stellaops
baseline_path = args.baseline if args.baseline.is_absolute() else repo_root / args.baseline
output_path = args.output if args.output.is_absolute() else repo_root / args.output
print(f"StellaOps findings: {stellaops_path}")
print(f"Baseline results: {baseline_path}")
# Load findings
stellaops_findings = load_stellaops_findings(stellaops_path)
print(f"Loaded {len(stellaops_findings)} StellaOps findings")
baseline_findings = load_baseline_findings(baseline_path)
print(f"Loaded {len(baseline_findings)} baseline findings")
# Compare
results = compare_findings(stellaops_findings, baseline_findings)
metrics = compute_comparison_metrics(results)
print(f"\nComparison Results:")
print(f" Total comparisons: {metrics['total_comparisons']}")
print(f" Agreements: {metrics['agreements']} ({metrics['agreement_rate']:.1%})")
print(f" FP reductions: {metrics['fp_reductions']}")
print(f" StellaOps unique: {metrics['stellaops_unique']}")
print(f" Baseline unique: {metrics['baseline_unique']}")
# Write outputs
write_comparison_csv(results, output_path)
print(f"\nWrote comparison to: {output_path}")
if args.json:
json_path = output_path.with_suffix('.json')
with open(json_path, 'w', encoding='utf-8') as f:
json.dump({
"metrics": metrics,
"results": [
{
"cve_id": r.cve_id,
"purl": r.purl,
"stellaops_status": r.stellaops_status,
"baseline_status": r.baseline_status,
"agreement": r.agreement,
"reachability": r.stellaops_reachability,
"notes": r.notes
}
for r in results
]
}, f, indent=2, sort_keys=True)
print(f"Wrote JSON to: {json_path}")
return 0
if __name__ == "__main__":
sys.exit(main())

183
bench/tools/replay.sh Normal file
View File

@@ -0,0 +1,183 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: AGPL-3.0-or-later
# BENCH-AUTO-401-019: Reachability replay script
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
log_info() { echo -e "${GREEN}[INFO]${NC} $*"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
log_error() { echo -e "${RED}[ERROR]${NC} $*"; }
usage() {
echo "Usage: $0 <manifest-or-findings-dir> [--output DIR] [--verify]"
echo ""
echo "Replay reachability manifests from bench findings."
echo ""
echo "Options:"
echo " --output DIR Output directory for replay results"
echo " --verify Verify replay outputs against ground truth"
echo " --help, -h Show this help"
exit 1
}
INPUT=""
OUTPUT_DIR="${REPO_ROOT}/bench/results/replay"
VERIFY=false
while [[ $# -gt 0 ]]; do
case $1 in
--output)
OUTPUT_DIR="$2"
shift 2
;;
--verify)
VERIFY=true
shift
;;
--help|-h)
usage
;;
*)
if [[ -z "$INPUT" ]]; then
INPUT="$1"
else
echo "Unknown option: $1"
usage
fi
shift
;;
esac
done
if [[ -z "$INPUT" ]]; then
# Default to bench/findings
INPUT="${REPO_ROOT}/bench/findings"
fi
if [[ ! -e "$INPUT" ]]; then
log_error "Input not found: $INPUT"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
log_info "Replay input: $INPUT"
log_info "Output directory: $OUTPUT_DIR"
# Collect all reachability evidence files
EVIDENCE_FILES=()
if [[ -d "$INPUT" ]]; then
# Directory of findings
while IFS= read -r -d '' file; do
EVIDENCE_FILES+=("$file")
done < <(find "$INPUT" -name "reachability.json" -print0 2>/dev/null)
elif [[ -f "$INPUT" ]]; then
# Single manifest file
EVIDENCE_FILES+=("$INPUT")
fi
if [[ ${#EVIDENCE_FILES[@]} -eq 0 ]]; then
log_warn "No reachability evidence files found"
exit 0
fi
log_info "Found ${#EVIDENCE_FILES[@]} evidence file(s)"
# Process each evidence file
TOTAL=0
PASSED=0
FAILED=0
for evidence_file in "${EVIDENCE_FILES[@]}"; do
TOTAL=$((TOTAL + 1))
finding_dir=$(dirname "$(dirname "$evidence_file")")
finding_id=$(basename "$finding_dir")
log_info "Processing: $finding_id"
# Extract metadata
metadata_file="${finding_dir}/metadata.json"
if [[ ! -f "$metadata_file" ]]; then
log_warn " No metadata.json found, skipping"
continue
fi
# Parse evidence
evidence_hash=$(python3 -c "
import json
with open('$evidence_file') as f:
d = json.load(f)
paths = d.get('paths', [])
print(f'paths={len(paths)}')
print(f'variant={d.get(\"variant\", \"unknown\")}')
print(f'case_id={d.get(\"case_id\", \"unknown\")}')
" 2>/dev/null || echo "error")
if [[ "$evidence_hash" == "error" ]]; then
log_warn " Failed to parse evidence"
FAILED=$((FAILED + 1))
continue
fi
echo " $evidence_hash"
# Create replay output
replay_output="${OUTPUT_DIR}/${finding_id}"
mkdir -p "$replay_output"
# Copy evidence for replay
cp "$evidence_file" "$replay_output/evidence.json"
# If verify mode, check against ground truth
if [[ "$VERIFY" == true ]]; then
ground_truth=$(python3 -c "
import json
with open('$evidence_file') as f:
d = json.load(f)
gt = d.get('ground_truth')
if gt:
print(f'variant={gt.get(\"variant\", \"unknown\")}')
print(f'paths={len(gt.get(\"paths\", []))}')
else:
print('no_ground_truth')
" 2>/dev/null || echo "error")
if [[ "$ground_truth" != "no_ground_truth" && "$ground_truth" != "error" ]]; then
log_info " Ground truth: $ground_truth"
PASSED=$((PASSED + 1))
else
log_warn " No ground truth available"
fi
else
PASSED=$((PASSED + 1))
fi
# Record replay result
echo "{\"finding_id\": \"$finding_id\", \"status\": \"replayed\", \"timestamp\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"}" > "$replay_output/replay.json"
done
# Summary
echo ""
log_info "Replay Summary:"
log_info " Total: $TOTAL"
log_info " Passed: $PASSED"
log_info " Failed: $FAILED"
# Write summary file
echo "{
\"total\": $TOTAL,
\"passed\": $PASSED,
\"failed\": $FAILED,
\"timestamp\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"
}" > "$OUTPUT_DIR/summary.json"
log_info "Summary written to: $OUTPUT_DIR/summary.json"

333
bench/tools/verify.py Normal file
View File

@@ -0,0 +1,333 @@
#!/usr/bin/env python3
# SPDX-License-Identifier: AGPL-3.0-or-later
# BENCH-AUTO-401-019: Offline VEX proof bundle verifier
"""
Offline verification of VEX proof bundles without network access.
Validates:
- DSSE envelope structure
- Payload type and format
- Evidence hash references
- Justification catalog membership
- CAS hash verification
Usage:
python bench/tools/verify.py --bundle PATH [--cas-root PATH] [--catalog PATH]
"""
import argparse
import base64
import hashlib
import json
import sys
from pathlib import Path
from typing import Any
class VerificationResult:
"""Result of a verification check."""
def __init__(self, passed: bool, message: str, details: str = ""):
self.passed = passed
self.message = message
self.details = details
def __str__(self):
status = "\033[0;32m✓\033[0m" if self.passed else "\033[0;31m✗\033[0m"
result = f"{status} {self.message}"
if self.details:
result += f"\n {self.details}"
return result
def sha256_hex(data: bytes) -> str:
"""Compute SHA-256 hash."""
return hashlib.sha256(data).hexdigest()
def blake3_hex(data: bytes) -> str:
"""Compute BLAKE3-256 hash (fallback to SHA-256)."""
try:
import blake3
return "blake3:" + blake3.blake3(data).hexdigest()
except ImportError:
return "sha256:" + sha256_hex(data)
def load_json(path: Path) -> dict | None:
"""Load JSON file."""
try:
with open(path, 'r', encoding='utf-8') as f:
return json.load(f)
except (json.JSONDecodeError, FileNotFoundError) as e:
return None
def verify_dsse_structure(dsse: dict) -> list[VerificationResult]:
"""Verify DSSE envelope structure."""
results = []
# Check required fields
if "payloadType" not in dsse:
results.append(VerificationResult(False, "Missing payloadType"))
else:
results.append(VerificationResult(True, f"payloadType: {dsse['payloadType']}"))
if "payload" not in dsse:
results.append(VerificationResult(False, "Missing payload"))
else:
results.append(VerificationResult(True, "payload present"))
if "signatures" not in dsse or not dsse["signatures"]:
results.append(VerificationResult(False, "Missing or empty signatures"))
else:
sig_count = len(dsse["signatures"])
results.append(VerificationResult(True, f"Found {sig_count} signature(s)"))
# Check for placeholder signatures
for i, sig in enumerate(dsse["signatures"]):
sig_value = sig.get("sig", "")
if sig_value.startswith("PLACEHOLDER"):
results.append(VerificationResult(
False,
f"Signature {i} is placeholder",
"Bundle needs actual signing before deployment"
))
else:
keyid = sig.get("keyid", "unknown")
results.append(VerificationResult(True, f"Signature {i} keyid: {keyid}"))
return results
def decode_payload(dsse: dict) -> tuple[dict | None, list[VerificationResult]]:
"""Decode DSSE payload."""
results = []
payload_b64 = dsse.get("payload", "")
if not payload_b64:
results.append(VerificationResult(False, "Empty payload"))
return None, results
try:
payload_bytes = base64.b64decode(payload_b64)
payload = json.loads(payload_bytes)
results.append(VerificationResult(True, "Payload decoded successfully"))
return payload, results
except Exception as e:
results.append(VerificationResult(False, f"Failed to decode payload: {e}"))
return None, results
def verify_openvex(payload: dict) -> list[VerificationResult]:
"""Verify OpenVEX document structure."""
results = []
# Check OpenVEX context
context = payload.get("@context", "")
if "openvex" in context.lower():
results.append(VerificationResult(True, f"OpenVEX context: {context}"))
else:
results.append(VerificationResult(False, f"Unexpected context: {context}"))
# Check statements
statements = payload.get("statements", [])
if not statements:
results.append(VerificationResult(False, "No VEX statements"))
else:
results.append(VerificationResult(True, f"Contains {len(statements)} statement(s)"))
for i, stmt in enumerate(statements):
vuln = stmt.get("vulnerability", {})
vuln_id = vuln.get("name", vuln.get("@id", "unknown"))
status = stmt.get("status", "unknown")
results.append(VerificationResult(
True,
f"Statement {i}: {vuln_id} -> {status}"
))
return results
def verify_evidence_hashes(payload: dict, cas_root: Path | None) -> list[VerificationResult]:
"""Verify evidence hash references against CAS."""
results = []
statements = payload.get("statements", [])
for stmt in statements:
impact = stmt.get("impact_statement", "")
if "Evidence hash:" in impact:
hash_value = impact.split("Evidence hash:")[1].strip()
results.append(VerificationResult(True, f"Evidence hash: {hash_value[:16]}..."))
# Verify against CAS if root provided
if cas_root and cas_root.exists():
# Look for reachability.json in CAS
reach_file = cas_root / "reachability.json"
if reach_file.exists():
with open(reach_file, 'rb') as f:
content = f.read()
actual_hash = blake3_hex(content)
if actual_hash == hash_value or hash_value in actual_hash:
results.append(VerificationResult(True, "Evidence hash matches CAS"))
else:
results.append(VerificationResult(
False,
"Evidence hash mismatch",
f"Expected: {hash_value[:32]}..., Got: {actual_hash[:32]}..."
))
return results
def verify_catalog_membership(payload: dict, catalog_path: Path) -> list[VerificationResult]:
"""Verify justification is in catalog."""
results = []
if not catalog_path.exists():
results.append(VerificationResult(False, f"Catalog not found: {catalog_path}"))
return results
catalog = load_json(catalog_path)
if catalog is None:
results.append(VerificationResult(False, "Failed to load catalog"))
return results
# Extract catalog entries
entries = catalog if isinstance(catalog, list) else catalog.get("entries", [])
catalog_ids = {e.get("id", "") for e in entries}
# Check each statement's justification
statements = payload.get("statements", [])
for stmt in statements:
justification = stmt.get("justification")
if justification:
if justification in catalog_ids:
results.append(VerificationResult(
True,
f"Justification '{justification}' in catalog"
))
else:
results.append(VerificationResult(
False,
f"Justification '{justification}' not in catalog"
))
return results
def main():
parser = argparse.ArgumentParser(
description="Offline VEX proof bundle verifier"
)
parser.add_argument(
"--bundle",
type=Path,
required=True,
help="Path to DSSE bundle file"
)
parser.add_argument(
"--cas-root",
type=Path,
default=None,
help="Path to CAS evidence directory"
)
parser.add_argument(
"--catalog",
type=Path,
default=Path("docs/benchmarks/vex-justifications.catalog.json"),
help="Path to justification catalog"
)
args = parser.parse_args()
# Resolve paths
repo_root = Path(__file__).parent.parent.parent
bundle_path = args.bundle if args.bundle.is_absolute() else repo_root / args.bundle
catalog_path = args.catalog if args.catalog.is_absolute() else repo_root / args.catalog
cas_root = args.cas_root if args.cas_root and args.cas_root.is_absolute() else (
repo_root / args.cas_root if args.cas_root else None
)
print(f"Verifying: {bundle_path}")
print("")
all_results = []
passed = 0
failed = 0
# Load DSSE bundle
dsse = load_json(bundle_path)
if dsse is None:
print("\033[0;31m✗\033[0m Failed to load bundle")
return 1
# Verify DSSE structure
print("DSSE Structure:")
results = verify_dsse_structure(dsse)
for r in results:
print(f" {r}")
if r.passed:
passed += 1
else:
failed += 1
all_results.extend(results)
# Decode payload
print("\nPayload:")
payload, results = decode_payload(dsse)
for r in results:
print(f" {r}")
if r.passed:
passed += 1
else:
failed += 1
all_results.extend(results)
if payload:
# Verify OpenVEX structure
payload_type = dsse.get("payloadType", "")
if "openvex" in payload_type.lower():
print("\nOpenVEX:")
results = verify_openvex(payload)
for r in results:
print(f" {r}")
if r.passed:
passed += 1
else:
failed += 1
all_results.extend(results)
# Verify evidence hashes
print("\nEvidence:")
results = verify_evidence_hashes(payload, cas_root)
for r in results:
print(f" {r}")
if r.passed:
passed += 1
else:
failed += 1
all_results.extend(results)
# Verify catalog membership
print("\nCatalog:")
results = verify_catalog_membership(payload, catalog_path)
for r in results:
print(f" {r}")
if r.passed:
passed += 1
else:
failed += 1
all_results.extend(results)
# Summary
print(f"\n{'='*40}")
print(f"Passed: {passed}, Failed: {failed}")
return 0 if failed == 0 else 1
if __name__ == "__main__":
sys.exit(main())

198
bench/tools/verify.sh Normal file
View File

@@ -0,0 +1,198 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: AGPL-3.0-or-later
# BENCH-AUTO-401-019: Online DSSE + Rekor verification script
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
log_pass() { echo -e "${GREEN}${NC} $*"; }
log_fail() { echo -e "${RED}${NC} $*"; }
log_warn() { echo -e "${YELLOW}!${NC} $*"; }
usage() {
echo "Usage: $0 <dsse-file> [--catalog PATH] [--rekor-url URL]"
echo ""
echo "Verify a VEX proof bundle with DSSE signature and Rekor inclusion."
echo ""
echo "Options:"
echo " --catalog PATH Path to justification catalog (default: docs/benchmarks/vex-justifications.catalog.json)"
echo " --rekor-url URL Rekor URL (default: https://rekor.sigstore.dev)"
echo " --offline Skip Rekor verification"
echo " --help, -h Show this help"
exit 1
}
DSSE_FILE=""
CATALOG="${REPO_ROOT}/docs/benchmarks/vex-justifications.catalog.json"
REKOR_URL="https://rekor.sigstore.dev"
OFFLINE=false
while [[ $# -gt 0 ]]; do
case $1 in
--catalog)
CATALOG="$2"
shift 2
;;
--rekor-url)
REKOR_URL="$2"
shift 2
;;
--offline)
OFFLINE=true
shift
;;
--help|-h)
usage
;;
*)
if [[ -z "$DSSE_FILE" ]]; then
DSSE_FILE="$1"
else
echo "Unknown option: $1"
usage
fi
shift
;;
esac
done
if [[ -z "$DSSE_FILE" ]]; then
echo "Error: DSSE file required"
usage
fi
if [[ ! -f "$DSSE_FILE" ]]; then
echo "Error: DSSE file not found: $DSSE_FILE"
exit 1
fi
echo "Verifying: $DSSE_FILE"
echo ""
# Step 1: Validate JSON structure
if ! python3 -c "import json; json.load(open('$DSSE_FILE'))" 2>/dev/null; then
log_fail "Invalid JSON"
exit 1
fi
log_pass "Valid JSON structure"
# Step 2: Check DSSE envelope structure
PAYLOAD_TYPE=$(python3 -c "import json; print(json.load(open('$DSSE_FILE')).get('payloadType', ''))")
if [[ -z "$PAYLOAD_TYPE" ]]; then
log_fail "Missing payloadType"
exit 1
fi
log_pass "DSSE payloadType: $PAYLOAD_TYPE"
# Step 3: Decode and validate payload
PAYLOAD_B64=$(python3 -c "import json; print(json.load(open('$DSSE_FILE')).get('payload', ''))")
if [[ -z "$PAYLOAD_B64" ]]; then
log_fail "Missing payload"
exit 1
fi
# Decode payload
PAYLOAD_JSON=$(echo "$PAYLOAD_B64" | base64 -d 2>/dev/null || echo "")
if [[ -z "$PAYLOAD_JSON" ]]; then
log_fail "Failed to decode payload"
exit 1
fi
log_pass "Payload decoded successfully"
# Step 4: Validate OpenVEX structure (if applicable)
if [[ "$PAYLOAD_TYPE" == *"openvex"* ]]; then
STATEMENTS_COUNT=$(echo "$PAYLOAD_JSON" | python3 -c "import json,sys; d=json.load(sys.stdin); print(len(d.get('statements', [])))")
if [[ "$STATEMENTS_COUNT" -eq 0 ]]; then
log_warn "OpenVEX has no statements"
else
log_pass "OpenVEX contains $STATEMENTS_COUNT statement(s)"
fi
fi
# Step 5: Check signature presence
SIG_COUNT=$(python3 -c "import json; print(len(json.load(open('$DSSE_FILE')).get('signatures', [])))")
if [[ "$SIG_COUNT" -eq 0 ]]; then
log_fail "No signatures found"
exit 1
fi
log_pass "Found $SIG_COUNT signature(s)"
# Step 6: Check for placeholder signatures
SIG_VALUE=$(python3 -c "import json; sigs=json.load(open('$DSSE_FILE')).get('signatures', []); print(sigs[0].get('sig', '') if sigs else '')")
if [[ "$SIG_VALUE" == "PLACEHOLDER"* ]]; then
log_warn "Signature is a placeholder (not yet signed)"
else
log_pass "Signature present (verification requires public key)"
fi
# Step 7: Rekor verification (if online)
if [[ "$OFFLINE" == false ]]; then
# Check for rekor.txt in same directory
DSSE_DIR=$(dirname "$DSSE_FILE")
REKOR_FILE="${DSSE_DIR}/rekor.txt"
if [[ -f "$REKOR_FILE" ]]; then
LOG_INDEX=$(grep -E "^log_index:" "$REKOR_FILE" | cut -d: -f2 | tr -d ' ')
if [[ "$LOG_INDEX" != "PENDING" && -n "$LOG_INDEX" ]]; then
log_pass "Rekor log index: $LOG_INDEX"
# Verify with Rekor API
if command -v curl &>/dev/null; then
REKOR_RESP=$(curl -s "${REKOR_URL}/api/v1/log/entries?logIndex=${LOG_INDEX}" 2>/dev/null || echo "")
if [[ -n "$REKOR_RESP" && "$REKOR_RESP" != "null" ]]; then
log_pass "Rekor inclusion verified"
else
log_warn "Could not verify Rekor inclusion (may be offline or index invalid)"
fi
else
log_warn "curl not available for Rekor verification"
fi
else
log_warn "Rekor entry pending submission"
fi
else
log_warn "No rekor.txt found - Rekor verification skipped"
fi
else
log_warn "Offline mode - Rekor verification skipped"
fi
# Step 8: Check justification catalog membership
if [[ -f "$CATALOG" ]]; then
# Extract justification from payload if present
JUSTIFICATION=$(echo "$PAYLOAD_JSON" | python3 -c "
import json, sys
d = json.load(sys.stdin)
stmts = d.get('statements', [])
if stmts:
print(stmts[0].get('justification', ''))
" 2>/dev/null || echo "")
if [[ -n "$JUSTIFICATION" ]]; then
CATALOG_MATCH=$(python3 -c "
import json
catalog = json.load(open('$CATALOG'))
entries = catalog if isinstance(catalog, list) else catalog.get('entries', [])
ids = [e.get('id', '') for e in entries]
print('yes' if '$JUSTIFICATION' in ids else 'no')
" 2>/dev/null || echo "no")
if [[ "$CATALOG_MATCH" == "yes" ]]; then
log_pass "Justification '$JUSTIFICATION' found in catalog"
else
log_warn "Justification '$JUSTIFICATION' not in catalog"
fi
fi
else
log_warn "Justification catalog not found at $CATALOG"
fi
echo ""
echo "Verification complete."

26
deploy/systemd/zastava-agent.env.sample Normal file
View File

@@ -0,0 +1,26 @@
# StellaOps Zastava Agent Configuration
# Copy this file to /etc/stellaops/zastava-agent.env
# Required: Tenant identifier for multi-tenancy
ZASTAVA_TENANT=default
# Required: Scanner backend URL
ZASTAVA_AGENT__Backend__BaseAddress=https://scanner.internal
# Optional: Node name (defaults to hostname)
# ZASTAVA_NODE_NAME=
# Optional: Docker socket endpoint (defaults to unix:///var/run/docker.sock)
# ZASTAVA_AGENT__DockerEndpoint=unix:///var/run/docker.sock
# Optional: Event buffer path (defaults to /var/lib/zastava-agent/runtime-events)
# ZASTAVA_AGENT__EventBufferPath=/var/lib/zastava-agent/runtime-events
# Optional: Health check port (defaults to 8080)
# ZASTAVA_AGENT__HealthCheck__Port=8080
# Optional: Allow insecure HTTP backend (NOT recommended for production)
# ZASTAVA_AGENT__Backend__AllowInsecureHttp=false
# Optional: Logging level
# Serilog__MinimumLevel__Default=Information

58
deploy/systemd/zastava-agent.service Normal file
View File

@@ -0,0 +1,58 @@
[Unit]
Description=StellaOps Zastava Agent - Container Runtime Monitor
Documentation=https://docs.stellaops.org/zastava/agent/
After=network-online.target docker.service containerd.service
Wants=network-online.target
Requires=docker.service
[Service]
Type=notify
ExecStart=/opt/stellaops/zastava-agent/StellaOps.Zastava.Agent
WorkingDirectory=/opt/stellaops/zastava-agent
Restart=always
RestartSec=5
# Environment configuration
EnvironmentFile=-/etc/stellaops/zastava-agent.env
Environment=DOTNET_ENVIRONMENT=Production
Environment=ASPNETCORE_ENVIRONMENT=Production
# User and permissions
User=zastava-agent
Group=docker
# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictSUIDSGID=true
# Allow read access to Docker socket
ReadWritePaths=/var/run/docker.sock
ReadWritePaths=/var/lib/zastava-agent
# Capabilities
CapabilityBoundingSet=
AmbientCapabilities=
# Resource limits
LimitNOFILE=65536
LimitNPROC=4096
MemoryMax=512M
# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=zastava-agent
# Watchdog (5 minute timeout)
WatchdogSec=300
[Install]
WantedBy=multi-user.target

12
docs/07_HIGH_LEVEL_ARCHITECTURE.md
View File

@@ -16,11 +16,11 @@
* **Scannerowned SBOMs.** We generate our own BOMs; we do not warehouse thirdparty SBOM content (we can **link** to attested SBOMs).
* **Deterministic evidence.** Facts come from package DBs, installed metadata, linkers, and verified attestations; no fuzzy guessing in the core.
* **Per-layer caching.** Cache fragments by **layer digest** and compose image SBOMs via **CycloneDX BOM-Link** / **SPDX ExternalRef**.
* **Inventory vs Usage.** Always record the full **inventory** of what exists; separately present **usage** (entrypoint closure + loaded libs).
* **Backend decides.** PASS/FAIL is produced by **Policy** + **VEX** + **Advisories**. The scanner reports facts.
* **VEX-first triage UX.** Operators triage by artifact with evidence-first cards, VEX decisioning, and immutable audit bundles; see `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`.
* **Attest or it didn't happen.** Every export is signed as **in-toto/DSSE** and logged in **Rekor v2**.
* **Hybrid reachability attestations.** Every reachability graph ships with a graph-level DSSE (mandatory) plus optional edge-bundle DSSEs for runtime/init/contested edges; Policy/Signals consume graph DSSE as baseline and edge bundles for quarantine/disputes.
* **Inventory vs Usage.** Always record the full **inventory** of what exists; separately present **usage** (entrypoint closure + loaded libs).
* **Backend decides.** PASS/FAIL is produced by **Policy** + **VEX** + **Advisories**. The scanner reports facts.
* **VEX-first triage UX.** Operators triage by artifact with evidence-first cards, VEX decisioning, and immutable audit bundles; see `docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`.
* **Attest or it didn't happen.** Every export is signed as **in-toto/DSSE** and logged in **Rekor v2**.
* **Hybrid reachability attestations.** Every reachability graph ships with a graph-level DSSE (mandatory) plus optional edge-bundle DSSEs for runtime/init/contested edges; Policy/Signals consume graph DSSE as baseline and edge bundles for quarantine/disputes. See `docs/reachability/hybrid-attestation.md` for verification runbooks, Rekor guidance, and offline replay steps.
* **Sovereign-ready.** Cloud is used only for licensing and optional endorsement; everything else is first-party and self-hostable.
* **Competitive clarity.** Moats: deterministic replay, hybrid reachability proofs, lattice VEX, sovereign crypto, proof graph; see `docs/market/competitive-landscape.md`.
@@ -47,7 +47,7 @@
| **Attestor** | `stellaops/attestor` | Posts DSSE bundles to **Rekor v2**; verification endpoints. | Stateless; HPA by QPS. |
| **Authority** | `stellaops/authority` | Onprem OIDC issuing **shortlived OpToks** with DPoP/mTLS sender constraint. | HA behind LB. |
| **Zastava** (Runtime) | `stellaops/zastava` | Runtime inspector/enforcer (observer + optional Admission Webhook). | DaemonSet + Webhook. |
| **Web UI** | `stellaops/ui` | Angular app for scans, diffs, policy, VEX, vulnerability triage (artifact-first), audit bundles, **Scheduler**, **Notify**, runtime, reports. | Stateless. |
| **Web UI** | `stellaops/ui` | Angular app for scans, diffs, policy, VEX, vulnerability triage (artifact-first), audit bundles, **Scheduler**, **Notify**, runtime, reports. | Stateless. |
| **StellaOps.Cli** | `stellaops/cli` | CLI for init/scan/export/diff/policy/report/verify; Buildx helper; **schedule** and **notify** verbs. | Local/CI. |
### 1.2 Thirdparty (selfhosted)

316
docs/airgap/symbol-bundles.md Normal file
View File

@@ -0,0 +1,316 @@
# Symbol Bundles for Air-Gapped Installations
**Reference:** SYMS-BUNDLE-401-014
This document describes how to create, verify, and deploy deterministic symbol bundles for air-gapped StellaOps installations.
## Overview
Symbol bundles package debug symbols (PDBs, DWARF, etc.) into a single archive with:
- **Deterministic ordering** for reproducible builds
- **BLAKE3 hashes** for content verification
- **DSSE signatures** for authenticity
- **Rekor checkpoints** for transparency log integration
- **Merkle inclusion proofs** for offline verification
## Bundle Structure
```
bundle-name-1.0.0.symbols.zip
├── manifest.json # Bundle manifest with all metadata
├── symbols/
│ ├── {debug-id-1}/
│ │ ├── myapp.exe.symbols # Symbol blob
│ │ └── myapp.exe.symbols.json # Symbol manifest
│ ├── {debug-id-2}/
│ │ ├── libcrypto.so.symbols
│ │ └── libcrypto.so.symbols.json
│ └── ...
```
## Creating a Bundle
### Prerequisites
1. Collect symbol manifests from CI builds or ingest tools
2. Ensure all manifests follow the `*.symbols.json` naming convention
3. Have signing keys available (if signing is required)
### Build Command
```bash
# Basic bundle creation
stella symbols bundle \
--name "product-symbols" \
--version "1.0.0" \
--source ./symbols-dir \
--output ./bundles
# With signing and Rekor submission
stella symbols bundle \
--name "product-symbols" \
--version "1.0.0" \
--source ./symbols-dir \
--output ./bundles \
--sign \
--key ./signing-key.pem \
--key-id "release-key-2025" \
--rekor \
--rekor-url https://rekor.sigstore.dev
# Filter by platform
stella symbols bundle \
--name "linux-symbols" \
--version "1.0.0" \
--source ./symbols-dir \
--output ./bundles \
--platform linux-x64
```
### Bundle Options
| Option | Description |
|--------|-------------|
| `--name` | Bundle name (required) |
| `--version` | Bundle version in SemVer format (required) |
| `--source` | Source directory containing symbol manifests (required) |
| `--output` | Output directory for bundle archive (required) |
| `--platform` | Filter symbols by platform (e.g., linux-x64, win-x64) |
| `--tenant` | Filter symbols by tenant ID |
| `--sign` | Sign bundle with DSSE |
| `--key` | Path to signing key (PEM-encoded private key) |
| `--key-id` | Key ID for DSSE signature |
| `--algorithm` | Signing algorithm (ecdsa-p256, ed25519, rsa-pss-sha256) |
| `--rekor` | Submit to Rekor transparency log |
| `--rekor-url` | Rekor server URL |
| `--format` | Archive format: zip (default) or tar.gz |
| `--compression` | Compression level (0-9, default: 6) |
## Verifying a Bundle
### Online Verification
```bash
stella symbols verify --bundle ./product-symbols-1.0.0.symbols.zip
```
### Offline Verification
For air-gapped environments, include the Rekor public key:
```bash
stella symbols verify \
--bundle ./product-symbols-1.0.0.symbols.zip \
--public-key ./signing-public-key.pem \
--rekor-offline \
--rekor-key ./rekor-public-key.pem
```
### Verification Output
```
Bundle verification successful!
Bundle ID: a1b2c3d4e5f6g7h8
Name: product-symbols-1.0.0.symbols
Version: 1.0.0
Signature: valid (ecdsa-p256)
Hash verification: 42/42 valid
```
## Extracting Symbols
### Full Extraction
```bash
stella symbols extract \
--bundle ./product-symbols-1.0.0.symbols.zip \
--output ./extracted-symbols
```
### Platform-Filtered Extraction
```bash
stella symbols extract \
--bundle ./product-symbols-1.0.0.symbols.zip \
--output ./linux-symbols \
--platform linux-x64
```
### Manifests Only
```bash
stella symbols extract \
--bundle ./product-symbols-1.0.0.symbols.zip \
--output ./manifests-only \
--manifests-only
```
## Inspecting Bundles
```bash
# Basic info
stella symbols inspect --bundle ./product-symbols-1.0.0.symbols.zip
# With entry listing
stella symbols inspect --bundle ./product-symbols-1.0.0.symbols.zip --entries
```
## Bundle Manifest Schema
The bundle manifest (`manifest.json`) follows this schema:
```json
{
"schemaVersion": "stellaops.symbols.bundle/v1",
"bundleId": "blake3-hash-of-content",
"name": "product-symbols",
"version": "1.0.0",
"createdAt": "2025-12-14T10:30:00Z",
"platform": null,
"tenantId": null,
"entries": [
{
"debugId": "abc123def456",
"codeId": "...",
"binaryName": "myapp.exe",
"platform": "win-x64",
"format": "pe",
"manifestHash": "blake3...",
"blobHash": "blake3...",
"blobSizeBytes": 102400,
"archivePath": "symbols/abc123def456/myapp.exe.symbols",
"symbolCount": 5000
}
],
"totalSizeBytes": 10485760,
"signature": {
"signed": true,
"algorithm": "ecdsa-p256",
"keyId": "release-key-2025",
"dsseDigest": "sha256:...",
"signedAt": "2025-12-14T10:30:00Z",
"publicKey": "-----BEGIN PUBLIC KEY-----..."
},
"rekorCheckpoint": {
"rekorUrl": "https://rekor.sigstore.dev",
"logEntryId": "...",
"logIndex": 12345678,
"integratedTime": "2025-12-14T10:30:01Z",
"rootHash": "sha256:...",
"treeSize": 987654321,
"inclusionProof": {
"logIndex": 12345678,
"rootHash": "sha256:...",
"treeSize": 987654321,
"hashes": ["sha256:...", "sha256:..."]
},
"logPublicKey": "-----BEGIN PUBLIC KEY-----..."
},
"hashAlgorithm": "blake3"
}
```
## Air-Gap Deployment Workflow
### 1. Create Bundle (Online Environment)
```bash
# On the online build server
stella symbols bundle \
--name "release-v2.0.0-symbols" \
--version "2.0.0" \
--source /build/symbols \
--output /export \
--sign --key /keys/release.pem \
--rekor
```
### 2. Transfer to Air-Gapped Environment
Copy the following files to the air-gapped environment:
- `release-v2.0.0-symbols-2.0.0.symbols.zip`
- `release-v2.0.0-symbols-2.0.0.manifest.json`
- `signing-public-key.pem` (if not already present)
- `rekor-public-key.pem` (for Rekor offline verification)
### 3. Verify (Air-Gapped Environment)
```bash
# On the air-gapped server
stella symbols verify \
--bundle ./release-v2.0.0-symbols-2.0.0.symbols.zip \
--public-key ./signing-public-key.pem \
--rekor-offline \
--rekor-key ./rekor-public-key.pem
```
### 4. Extract and Deploy
```bash
# Extract to symbols server directory
stella symbols extract \
--bundle ./release-v2.0.0-symbols-2.0.0.symbols.zip \
--output /var/stellaops/symbols \
--verify
```
## Determinism Guarantees
Symbol bundles are deterministic:
1. **Entry ordering**: Entries sorted by debug ID, then binary name (lexicographic)
2. **Hash algorithm**: BLAKE3 for all content hashes
3. **Timestamps**: UTC ISO-8601 format
4. **JSON serialization**: Canonical form (no whitespace, sorted keys)
5. **Archive entries**: Sorted by path within archive
This ensures that given the same input manifests, the same bundle (excluding signatures) is produced.
## CI Integration
### GitHub Actions Example
```yaml
- name: Build symbol bundle
run: |
stella symbols bundle \
--name "${{ github.repository }}-symbols" \
--version "${{ github.ref_name }}" \
--source ./build/symbols \
--output ./dist \
--sign --key ${{ secrets.SIGNING_KEY }} \
--rekor
- name: Upload bundle artifact
uses: actions/upload-artifact@v4
with:
name: symbol-bundle
path: ./dist/*.symbols.zip
```
## Troubleshooting
### "No symbol manifests found"
Ensure manifests follow the `*.symbols.json` naming convention and are not DSSE envelopes (`*.dsse.json`).
### "Signature verification failed"
Check that:
1. The public key matches the signing key
2. The bundle has not been modified after signing
3. The key ID matches what was used during signing
### "Rekor inclusion proof invalid"
For offline verification:
1. Ensure the Rekor public key is current
2. The checkpoint was created when the log was online
3. The tree size hasn't changed since the checkpoint
## Related Documentation
- [Offline Kit Guide](../24_OFFLINE_KIT.md)
- [Symbol Server Architecture](../modules/scanner/architecture.md)
- [DSSE Signing Guide](../modules/signer/architecture.md)
- [Rekor Integration](../modules/attestor/architecture.md)

45
docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md
View File

@@ -46,21 +46,21 @@
| 10 | SIGNALS-SCORING-401-003 | DONE (2025-12-12) | Unblocked by synthetic runtime feeds; proceed with scoring using hashed fixtures from Sprint 0512 until live feeds land. | Signals Guild (`src/Signals/StellaOps.Signals`) | Extend ReachabilityScoringService with deterministic scoring, persist labels, expose `/graphs/{scanId}` CAS lookups. |
| 11 | REPLAY-401-004 | DONE (2025-12-12) | CAS registration policy adopted (BLAKE3 per CONTRACT-RICHGRAPH-V1-015); proceed with manifest v2 + deterministic tests. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) | Bump replay manifest to v2, enforce CAS registration + hash sorting in ReachabilityReplayWriter, add deterministic tests. |
| 12 | AUTH-REACH-401-005 | DONE (2025-11-27) | Predicate types exist; DSSE signer service added. | Authority & Signer Guilds (`src/Authority/StellaOps.Authority`, `src/Signer/StellaOps.Signer`) | Introduce DSSE predicate types for SBOM/Graph/VEX/Replay, plumb signing, mirror statements to Rekor (incl. PQ variants). |
| 13 | POLICY-VEX-401-006 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 8/10. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | Consume reachability facts, bucket scores, emit OpenVEX with call-path proofs, update SPL schema with reachability predicates and suppression gates. |
| 14 | POLICY-VEX-401-010 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 13. | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Implement VexDecisionEmitter to serialize per-finding OpenVEX, attach evidence hashes, request DSSE signatures, capture Rekor metadata. |
| 15 | UI-CLI-401-007 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 1/13/14. | UI & CLI Guilds (`src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`) | Implement CLI `stella graph explain` and UI explain drawer with signed call-path, predicates, runtime hits, DSSE pointers, counterfactual controls. |
| 16 | QA-DOCS-401-008 | BLOCKED (2025-12-12) | Needs reachbench fixtures (QA-CORPUS-401-031) and docs readiness. | QA & Docs Guilds (`docs`, `tests/README.md`) | Wire reachbench fixtures into CI, document CAS layouts + replay steps, publish operator runbook for runtime ingestion. |
| 17 | GAP-SIG-003 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 8. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md`) | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states, emit update events, document retention/RBAC. |
| 13 | POLICY-VEX-401-006 | DONE (2025-12-13) | Complete: Implemented VexDecisionEmitter with VexDecisionModels.cs (OpenVEX document/statement/evidence models), VexDecisionEmitter.cs (fact-to-VEX status mapping, lattice state bucketing, gate evaluation), PolicyEngineTelemetry.cs (VEX decision metrics), DI registration, and 10 passing tests. Files: `src/Policy/StellaOps.Policy.Engine/Vex/VexDecisionModels.cs`, `VexDecisionEmitter.cs`, `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Vex/VexDecisionEmitterTests.cs`. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | Consume reachability facts, bucket scores, emit OpenVEX with call-path proofs, update SPL schema with reachability predicates and suppression gates. |
| 14 | POLICY-VEX-401-010 | DONE (2025-12-13) | Complete: Implemented VexDecisionSigningService with DSSE envelope creation, Rekor submission, evidence hash attachment. Created `IVexDecisionSigningService` interface with Sign/Verify methods, `VexDsseEnvelope`/`VexDsseSignature` records, `VexRekorMetadata`/`VexRekorInclusionProof` records, `IVexSignerClient`/`IVexRekorClient` client interfaces, `VexSigningOptions` configuration, local signing fallback (PAE/SHA256), telemetry via `RecordVexSigning`, DI registration (`AddVexDecisionSigning`), and 16 passing tests. Files: `src/Policy/StellaOps.Policy.Engine/Vex/VexDecisionSigningService.cs`, `src/Policy/StellaOps.Policy.Engine/DependencyInjection/PolicyEngineServiceCollectionExtensions.cs`, `src/Policy/StellaOps.Policy.Engine/Telemetry/PolicyEngineTelemetry.cs`, `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Vex/VexDecisionSigningServiceTests.cs`. | Policy Guild (`src/Policy/StellaOps.Policy.Engine/Vex`, `docs/modules/policy/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Implement VexDecisionEmitter to serialize per-finding OpenVEX, attach evidence hashes, request DSSE signatures, capture Rekor metadata. |
| 15 | UI-CLI-401-007 | DONE (2025-12-14) | Complete: Implemented `stella graph explain` CLI command with full evidence chain support. Added `GraphExplainRequest`/`GraphExplainResult` models with `SignedCallPath`, `RuntimeHit`, `ReachabilityPredicate`, `DssePointer`, `CounterfactualControl`, `GraphVexDecision` types. Command options: `--graph-id`, `--vuln-id`, `--purl`, `--call-paths`, `--runtime-hits`, `--predicates`, `--dsse`, `--counterfactuals`, `--full-evidence`, `--json`. Handler renders signed call paths with DSSE/Rekor pointers, runtime hits table, predicates list, DSSE envelope pointers table, counterfactual controls with risk reduction. Files: `src/Cli/StellaOps.Cli/Services/Models/ReachabilityModels.cs`, `Services/IBackendOperationsClient.cs`, `Services/BackendOperationsClient.cs`, `Commands/CommandFactory.cs`, `Commands/CommandHandlers.cs`. | UI & CLI Guilds (`src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`) | Implement CLI `stella graph explain` and UI explain drawer with signed call-path, predicates, runtime hits, DSSE pointers, counterfactual controls. |
| 16 | QA-DOCS-401-008 | DONE (2025-12-14) | Complete: Created comprehensive `tests/README.md` with reachability corpus structure, ground-truth schema (`reachbench.reachgraph.truth/v1`), CI integration documentation, CAS layout reference (BLAKE3 paths for graphs/runtime-facts/replay/evidence/DSSE/symbols), replay manifest v2 schema, replay workflow steps (export/validate/fetch/import/run), validation error codes, benchmark automation guide. CI workflow `.gitea/workflows/reachability-corpus-ci.yml` validates corpus integrity on push/PR. Runtime ingestion runbook already at `docs/runbooks/reachability-runtime.md`. | QA & Docs Guilds (`docs`, `tests/README.md`) | Wire reachbench fixtures into CI, document CAS layouts + replay steps, publish operator runbook for runtime ingestion. |
| 17 | GAP-SIG-003 | DONE (2025-12-13) | Complete: Implemented CAS-backed runtime-facts batch ingestion. Created `IRuntimeFactsArtifactStore.cs` interface with `FileSystemRuntimeFactsArtifactStore.cs` implementation storing artifacts at `cas://reachability/runtime-facts/{hash}`. Extended `RuntimeFactsIngestionService` with `IngestBatchAsync` method supporting NDJSON/gzip streams, BLAKE3 hashing, CAS storage, subject grouping, and CAS URI linking to `ReachabilityFactDocument`. Added `RuntimeFactsBatchIngestResponse` record. Updated `ReachabilityFactDocument` with `RuntimeFactsBatchUri` and `RuntimeFactsBatchHash` fields. Added 6 passing tests in `RuntimeFactsBatchIngestionTests.cs`. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md`) | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states, emit update events, document retention/RBAC. |
| 18 | SIG-STORE-401-016 | DONE (2025-12-13) | Complete: added `IReachabilityStoreRepository` + `InMemoryReachabilityStoreRepository` with store models (`FuncNodeDocument`, `CallEdgeDocument`, `CveFuncHitDocument`) and integrated callgraph ingestion to populate the store; Mongo index script at `ops/mongo/indices/reachability_store_indices.js`; Signals test suites passing. | Signals Guild - BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | Introduce shared reachability store collections/indexes and repository APIs for canonical function data. |
| 19 | GAP-REP-004 | DONE (2025-12-13) | Complete: Implemented replay manifest v2 with hash field (algorithm prefix), hashAlg, code_id_coverage, sorted CAS entries. Added ICasValidator interface, ReplayManifestValidator with error codes (REPLAY_MANIFEST_MISSING_VERSION, VERSION_MISMATCH, MISSING_HASH_ALG, UNSORTED_ENTRIES, CAS_NOT_FOUND, HASH_MISMATCH), UpgradeToV2 migration, and 18 deterministic tests per acceptance contract. Files: `ReplayManifest.cs`, `ReachabilityReplayWriter.cs`, `CasValidator.cs`, `ReplayManifestValidator.cs`, `ReplayManifestV2Tests.cs`. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md`) | Enforce BLAKE3 hashing + CAS registration for graphs/traces, upgrade replay manifest v2, add deterministic tests. |
| 20 | GAP-POL-005 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 8/10/17. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`, `docs/reachability/function-level-evidence.md`) | Ingest reachability facts into Policy Engine, expose `reachability.state/confidence`, enforce auto-suppress rules, generate OpenVEX evidence blocks. |
| 21 | GAP-VEX-006 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows task 20. | Policy, Excititor, UI, CLI & Notify Guilds (`docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md`) | Wire VEX emission/explain drawers to show call paths, graph hashes, runtime hits; add CLI flags and Notify templates. |
| 20 | GAP-POL-005 | DONE (2025-12-13) | Complete: Implemented Signals-backed reachability facts integration for Policy Engine. Created `IReachabilityFactsSignalsClient.cs` interface with HTTP client (`ReachabilityFactsSignalsClient.cs`) for `GET /signals/facts/{subjectKey}` and `POST /signals/reachability/recompute` endpoints. Implemented `SignalsBackedReachabilityFactsStore.cs` mapping Signals responses to Policy's ReachabilityFact model with state determination (Reachable/Unreachable/Unknown/UnderInvestigation), confidence aggregation, analysis method detection (Static/Dynamic/Hybrid), and metadata extraction (callgraph_id, scan_id, lattice_states, uncertainty_tier, runtime_hits). Added DI extensions: `AddReachabilityFactsSignalsClient`, `AddSignalsBackedReachabilityFactsStore`, `AddReachabilityFactsSignalsIntegration`. 32 passing tests in `SignalsBackedReachabilityFactsStoreTests.cs` and `ReachabilityFactsSignalsClientTests.cs`. Files: `src/Policy/StellaOps.Policy.Engine/ReachabilityFacts/IReachabilityFactsSignalsClient.cs`, `ReachabilityFactsSignalsClient.cs`, `SignalsBackedReachabilityFactsStore.cs`, `DependencyInjection/PolicyEngineServiceCollectionExtensions.cs`. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`, `docs/reachability/function-level-evidence.md`) | Ingest reachability facts into Policy Engine, expose `reachability.state/confidence`, enforce auto-suppress rules, generate OpenVEX evidence blocks. |
| 21 | GAP-VEX-006 | DONE (2025-12-14) | Complete: Enhanced `stella vex consensus show` with evidence display options (`--call-paths`, `--graph-hash`, `--runtime-hits`, `--full-evidence`). Added `VexReachabilityEvidence`, `VexCallPath`, `VexRuntimeHit` models to `VexModels.cs`. Updated `RenderVexConsensusDetail` to display call graph info, call paths with DSSE/Rekor pointers, and runtime hits table. Created `etc/notify-templates/vex-decision.yaml.sample` with Email/Slack/Teams/Webhook templates showing reachability evidence (state, confidence, call paths, runtime hits, DSSE, Rekor). Build passes. Files: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs`, `Commands/CommandHandlers.cs`, `Services/Models/VexModels.cs`, `etc/notify-templates/vex-decision.yaml.sample`. | Policy, Excititor, UI, CLI & Notify Guilds (`docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md`) | Wire VEX emission/explain drawers to show call paths, graph hashes, runtime hits; add CLI flags and Notify templates. |
| 22 | GAP-DOC-008 | DONE (2025-12-13) | Complete: Updated `docs/reachability/function-level-evidence.md` with comprehensive cross-module evidence chain guide (schema, API, CLI, OpenVEX integration, replay manifest v2). Added Signals callgraph/runtime-facts API schema + `stella graph explain/export/verify` CLI commands to `docs/09_API_CLI_REFERENCE.md`. Expanded `docs/api/policy.md` section 6.0 with lattice states, evidence block schema, and Rego policy examples. Created OpenVEX + replay samples under `samples/reachability/` (richgraph-v1-sample.json, openvex-affected/not-affected samples, replay-manifest-v2-sample.json, runtime-facts-sample.ndjson). | Docs Guild (`docs/reachability/function-level-evidence.md`, `docs/09_API_CLI_REFERENCE.md`, `docs/api/policy.md`) | Publish cross-module function-level evidence guide, update API/CLI references with `code_id`, add OpenVEX/replay samples. |
| 23 | CLI-VEX-401-011 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 13/14. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Add `stella decision export|verify|compare`, integrate with Policy/Signer APIs, ship local verifier wrappers for bench artifacts. |
| 23 | CLI-VEX-401-011 | DONE (2025-12-13) | Complete: Implemented `stella decision export|verify|compare` commands with DSSE/Rekor integration. Added `BuildDecisionCommand` to CommandFactory.cs with export (tenant, scan-id, vuln-id, purl, status filters, format options openvex/dsse/ndjson, --sign, --rekor, --include-evidence), verify (DSSE envelope validation, digest check, Rekor inclusion proof, public key offline verification), and compare (text/json/markdown diff output, added/removed/changed/unchanged statement tracking). Added `HandleDecisionExportAsync`, `HandleDecisionVerifyAsync`, `HandleDecisionCompareAsync` handlers to CommandHandlers.cs with full telemetry. Created `DecisionModels.cs` with DecisionExportRequest/Response. Added `ExportDecisionsAsync` to BackendOperationsClient. Added CLI metrics counters: `stellaops.cli.decision.{export,verify,compare}.count`. Files: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs`, `CommandHandlers.cs`, `Services/Models/DecisionModels.cs`, `Services/BackendOperationsClient.cs`, `Telemetry/CliMetrics.cs`. | CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`, `docs/benchmarks/vex-evidence-playbook.md`) | Add `stella decision export|verify|compare`, integrate with Policy/Signer APIs, ship local verifier wrappers for bench artifacts. |
| 24 | SIGN-VEX-401-018 | DONE (2025-11-26) | Predicate types added with tests. | Signing Guild (`src/Signer/StellaOps.Signer`, `docs/modules/signer/architecture.md`) | Extend Signer predicate catalog with `stella.ops/vexDecision@v1`, enforce payload policy, plumb DSSE/Rekor integration. |
| 25 | BENCH-AUTO-401-019 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 55/58. | Benchmarks Guild (`docs/benchmarks/vex-evidence-playbook.md`, `scripts/bench/**`) | Automate population of `bench/findings/**`, run baseline scanners, compute FP/MTTD/repro metrics, update `results/summary.csv`. |
| 25 | BENCH-AUTO-401-019 | DONE (2025-12-14) | Complete: Created benchmark automation pipeline. Scripts: `scripts/bench/populate-findings.py` (generates per-CVE bundles from reachbench fixtures), `scripts/bench/compute-metrics.py` (computes FP/MTTD/repro metrics), `scripts/bench/run-baseline.sh` (orchestrator). Tools: `bench/tools/verify.sh` (online DSSE+Rekor), `bench/tools/verify.py` (offline verifier), `bench/tools/compare.py` (baseline comparison), `bench/tools/replay.sh` (replay manifests). Initial run: 10 findings from 5 cases, 100% accuracy (5 TP, 5 TN, 0 FP, 0 FN). Output: `bench/results/summary.csv`, `bench/results/metrics.json`. | Benchmarks Guild (`docs/benchmarks/vex-evidence-playbook.md`, `scripts/bench/**`) | Automate population of `bench/findings/**`, run baseline scanners, compute FP/MTTD/repro metrics, update `results/summary.csv`. |
| 26 | DOCS-VEX-401-012 | DONE (2025-12-13) | Complete: Updated `bench/README.md` with verification workflows (online/offline/graph), related documentation links, artifact contracts, CI integration, and contributing guidelines. VEX Evidence Playbook already frozen (2025-12-04). | Docs Guild (`docs/benchmarks/vex-evidence-playbook.md`, `bench/README.md`) | Maintain VEX Evidence Playbook, publish repo templates/README, document verification workflows. |
| 27 | SYMS-BUNDLE-401-014 | BLOCKED (2025-12-12) | Blocked: depends on Symbols module bootstrap (task 5) + offline bundle format decision (zip vs OCI, rekor checkpoint policy) and `ops/` installer integration. | Symbols Guild - Ops Guild (`src/Symbols/StellaOps.Symbols.Bundle`, `ops`) | Produce deterministic symbol bundles for air-gapped installs with DSSE manifests/Rekor checkpoints; document offline workflows. |
| 27 | SYMS-BUNDLE-401-014 | DONE (2025-12-14) | Complete: Created `StellaOps.Symbols.Bundle` project with BundleManifest models (DSSE signatures, Rekor checkpoints, Merkle inclusion proofs), IBundleBuilder interface, BundleBuilder implementation. Added CLI commands (`stella symbols bundle/verify/extract/inspect`) with full handler implementations. Created offline workflow documentation at `docs/airgap/symbol-bundles.md`. Bundle format: deterministic ZIP with BLAKE3 hashes, sorted entries. | Symbols Guild - Ops Guild (`src/Symbols/StellaOps.Symbols.Bundle`, `ops`) | Produce deterministic symbol bundles for air-gapped installs with DSSE manifests/Rekor checkpoints; document offline workflows. |
| 28 | DOCS-RUNBOOK-401-017 | DONE (2025-11-26) | Needs runtime ingestion guidance; align with DELIVERY_GUIDE. | Docs Guild - Ops Guild (`docs/runbooks/reachability-runtime.md`, `docs/reachability/DELIVERY_GUIDE.md`) | Publish reachability runtime ingestion runbook, link from delivery guides, keep Ops/Signals troubleshooting current. |
| 29 | POLICY-LIB-401-001 | DONE (2025-11-27) | Extract DSL parser; align with Policy Engine tasks. | Policy Guild (`src/Policy/StellaOps.PolicyDsl`, `docs/policy/dsl.md`) | Extract policy DSL parser/compiler into `StellaOps.PolicyDsl`, add lightweight syntax, expose `PolicyEngineFactory`/`SignalContext`. |
| 30 | POLICY-LIB-401-002 | DONE (2025-11-27) | Follows 29; add harness and CLI wiring. | Policy Guild - CLI Guild (`tests/Policy/StellaOps.PolicyDsl.Tests`, `policy/default.dsl`, `docs/policy/lifecycle.md`) | Ship unit-test harness + sample DSL, wire `stella policy lint/simulate` to shared library. |
@@ -79,8 +79,8 @@
| 43 | PROV-BACKFILL-INPUTS-401-029A | DONE | Inventory/map drafted 2025-11-18. | Evidence Locker Guild - Platform Guild (`docs/provenance/inline-dsse.md`) | Attestation inventory and subject->Rekor map drafted. |
| 44 | PROV-BACKFILL-401-029 | DONE (2025-11-27) | Use inventory+map; depends on 42/43 readiness. | Platform Guild (`docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh`) | Resolve historical events and backfill provenance. |
| 45 | PROV-INDEX-401-030 | DONE (2025-11-27) | Blocked until 44 defines data model. | Platform Guild - Ops Guild (`docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js`) | Deploy provenance indexes and expose compliance/replay queries. |
| 46 | QA-CORPUS-401-031 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 55/58. | QA Guild - Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) | Build/publish multi-runtime reachability corpus with ground truths and traces; wire fixtures into CI. |
| 47 | UI-VEX-401-032 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 13-15, 21. | UI Guild - CLI Guild - Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) | Add UI/CLI "Explain/Verify" surfaces on VEX decisions with call paths, runtime hits, attestation verify button. |
| 46 | QA-CORPUS-401-031 | DONE (2025-12-13) | Complete: Created reachability corpus CI workflow `.gitea/workflows/reachability-corpus-ci.yml` with 3 jobs (validate-corpus, validate-ground-truths, determinism-check), runner scripts (`scripts/reachability/run_all.sh`, `run_all.ps1`), hash verification script (`scripts/reachability/verify_corpus_hashes.sh`). CI validates: corpus manifest hashes, reachbench INDEX integrity, ground-truth schema version, JSON determinism. Fixture tests passing (3 CorpusFixtureTests + 93 ReachbenchFixtureTests = 96 total). | QA Guild - Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) | Build/publish multi-runtime reachability corpus with ground truths and traces; wire fixtures into CI. |
| 47 | UI-VEX-401-032 | DONE (2025-12-14) | Complete: Angular workspace bootstrapped with module structure per architecture doc. VexExplainComponent created at `src/UI/StellaOps.UI/src/app/vex/vex-explain/vex-explain.component.ts` with call-path display, runtime hits, attestation verify button, Rekor/DSSE pointers. VEX Explorer at `src/UI/StellaOps.UI/src/app/vex/vex-explorer/vex-explorer.component.ts`. Core API models at `src/app/core/api/models.ts`. CLI `stella vex explain` already implemented. Build verified: `npm run build` passes. | UI Guild - CLI Guild - Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) | Add UI/CLI "Explain/Verify" surfaces on VEX decisions with call paths, runtime hits, attestation verify button. CLI: `stella vex explain <vuln-id> --product-key <key>` with `--call-paths`, `--runtime-hits`, `--graph`, `--dsse`, `--rekor`, `--verify`, `--offline`, `--json` options. Models at `VexExplainModels.cs`. |
| 48 | POLICY-GATE-401-033 | DONE (2025-12-13) | Implemented PolicyGateEvaluator with three gate types (LatticeState, UncertaintyTier, EvidenceCompleteness). See `src/Policy/StellaOps.Policy.Engine/Gates/`. Includes gate decision documents, configuration options, and override mechanism. | Policy Guild - Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable`; fallback to under review on low confidence; update docs/tests. |
| 49 | GRAPH-PURL-401-034 | DONE (2025-12-11) | purl+symbol_digest in RichGraph nodes/edges (via Sprint 0400 GRAPH-PURL-201-009 + RichGraphBuilder). | Scanner Worker Guild - Signals Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Signals/StellaOps.Signals`, `docs/reachability/purl-resolved-edges.md`) | Annotate call edges with callee purl + `symbol_digest`, update schema/CAS, surface in CLI/UI. |
| 50 | SCANNER-BUILDID-401-035 | DONE (2025-12-13) | Complete: Added build-ID prefix formatting per CONTRACT-BUILDID-PROPAGATION-401. ELF build-IDs now use `gnu-build-id:{hex}` prefix in `ElfReader.ExtractBuildId` and `NativeFormatDetector.ParseElfNote`. Mach-O UUIDs use `macho-uuid:{hex}` prefix in `NativeFormatDetector.DetectFormatAsync`. PE/COFF uses existing `pe-guid:{guid}` format. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) | Capture `.note.gnu.build-id` for ELF targets, thread into `SymbolID`/`code_id`, SBOM exports, runtime facts; add fixtures. |
@@ -88,8 +88,8 @@
| 52 | QA-PORACLE-401-037 | DONE (2025-12-13) | Complete: Added JSON-based patch-oracle harness with `patch-oracle/v1` schema (JSON Schema at `tests/reachability/fixtures/patch-oracles/schema/`), sample oracles for curl/log4j/kestrel CVEs, `PatchOracleComparer` class comparing RichGraph against oracle expectations (expected/forbidden functions/edges, confidence thresholds, wildcard patterns, strict mode), `PatchOracleLoader` for loading oracles from fixtures, and `PatchOracleHarnessTests` with 19 passing tests. Updated `docs/reachability/patch-oracles.md` with combined JSON and YAML harness documentation. | QA Guild - Scanner Worker Guild (`tests/reachability`, `docs/reachability/patch-oracles.md`) | Add patch-oracle fixtures and harness comparing graphs vs oracle, fail CI when expected functions/edges missing. |
| 53 | GRAPH-HYBRID-401-053 | DONE (2025-12-13) | Complete: richgraph publisher now stores the canonical `richgraph-v1.json` body at `cas://reachability/graphs/{blake3Hex}` and emits deterministic DSSE envelopes at `cas://reachability/graphs/{blake3Hex}.dsse` (with `DsseCasUri`/`DsseDigest` returned in `RichGraphPublishResult`); added unit coverage validating DSSE payload and signature (`src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/RichGraphPublisherTests.cs`). | Scanner Worker Guild - Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`, `docs/reachability/hybrid-attestation.md`) | Implement mandatory graph-level DSSE for `richgraph-v1` with deterministic ordering -> BLAKE3 graph hash -> DSSE envelope -> Rekor submit; expose CAS paths `cas://reachability/graphs/{hash}` and `.../{hash}.dsse`; add golden verification fixture. |
| 54 | EDGE-BUNDLE-401-054 | DONE (2025-12-13) | Complete: Implemented edge-bundle DSSE envelopes with `EdgeBundle.cs` and `EdgeBundlePublisher.cs` at `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/`. Features: `EdgeBundleReason` enum (RuntimeHits/InitArray/StaticInit/ThirdParty/Contested/Revoked/Custom), `EdgeReason` enum (RuntimeHit/InitArray/TlsInit/StaticConstructor/ModuleInit/ThirdPartyCall/LowConfidence/Revoked/TargetRemoved), `BundledEdge` with per-edge reason/revoked flag, `EdgeBundleBuilder` (max 512 edges), `EdgeBundleExtractor` for runtime/init/third-party/contested/revoked extraction, `EdgeBundlePublisher` with deterministic DSSE envelope generation, `EdgeBundlePublisherOptions` for Rekor cap (default 5). CAS paths: `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. 19 tests passing in `EdgeBundleTests.cs`. | Scanner Worker Guild - Attestor Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Attestor/StellaOps.Attestor`) | Emit optional edge-bundle DSSE envelopes (<=512 edges) for runtime hits, init-array/TLS roots, contested/third-party edges; include `bundle_reason`, per-edge `reason`, `revoked` flag; canonical sort before hashing; Rekor publish capped/configurable; CAS path `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. |
| 55 | SIG-POL-HYBRID-401-055 | TODO | Unblocked: Task 54 (edge-bundle DSSE) complete (2025-12-13). Ready to implement edge-bundle ingestion in Signals/Policy. | Signals Guild - Policy Guild (`src/Signals/StellaOps.Signals`, `src/Policy/StellaOps.Policy.Engine`, `docs/reachability/evidence-schema.md`) | Ingest edge-bundle DSSEs, attach to `graph_hash`, enforce quarantine (`revoked=true`) before scoring, surface presence in APIs/CLI/UI explainers, and add regression tests for graph-only vs graph+bundle paths. |
| 56 | DOCS-HYBRID-401-056 | BLOCKED (2025-12-12) | Unblocked by CONTRACT-RICHGRAPH-V1-015; follows tasks 53-55. | Docs Guild (`docs/reachability/hybrid-attestation.md`, `docs/modules/scanner/architecture.md`, `docs/modules/policy/architecture.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`) | Finalize hybrid attestation documentation and release notes; publish verification runbook (graph-only vs graph+edge-bundle), Rekor guidance, and offline replay steps; link from sprint Decisions & Risks. |
| 55 | SIG-POL-HYBRID-401-055 | DONE (2025-12-13) | Complete: Implemented edge-bundle ingestion in Signals with `EdgeBundleDocument.cs` models (EdgeBundleDocument, EdgeBundleEdgeDocument, EdgeBundleReference), `IEdgeBundleIngestionService.cs` interface, and `EdgeBundleIngestionService.cs` implementation with tenant isolation, revoked edge tracking, and quarantine enforcement. Updated `ReachabilityFactDocument.cs` with EdgeBundles and HasQuarantinedEdges fields. Added 8 passing tests in `EdgeBundleIngestionServiceTests.cs`. CAS paths: `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. | Signals Guild - Policy Guild (`src/Signals/StellaOps.Signals`, `src/Policy/StellaOps.Policy.Engine`, `docs/reachability/evidence-schema.md`) | Ingest edge-bundle DSSEs, attach to `graph_hash`, enforce quarantine (`revoked=true`) before scoring, surface presence in APIs/CLI/UI explainers, and add regression tests for graph-only vs graph+bundle paths. |
| 56 | DOCS-HYBRID-401-056 | DONE (2025-12-13) | Complete: Finalized `docs/reachability/hybrid-attestation.md` with: (1) Updated implementation status table (edge-bundle DSSE, CAS publisher, ingestion, quarantine enforcement all DONE). (2) Section 9: Verification Runbook with graph-only and graph+edge-bundle workflows, verification decision matrix. (3) Section 10: Rekor Guidance covering what gets published, configuration, private mirrors, proof caching. (4) Section 11: Offline Replay Steps with pack creation, verification, trust model, air-gapped deployment checklist. (5) Section 12: Release Notes with version history and migration guide. (6) Section 13: Cross-references to sprint/contracts/implementation/related docs. Updated `docs/07_HIGH_LEVEL_ARCHITECTURE.md` and module architectures (scanner, policy) with hybrid attestation references. | Docs Guild (`docs/reachability/hybrid-attestation.md`, `docs/modules/scanner/architecture.md`, `docs/modules/policy/architecture.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`) | Finalize hybrid attestation documentation and release notes; publish verification runbook (graph-only vs graph+edge-bundle), Rekor guidance, and offline replay steps; link from sprint Decisions & Risks. |
| 57 | BENCH-DETERMINISM-401-057 | DONE (2025-11-26) | Harness + mock scanner shipped; inputs/manifest at `src/Bench/StellaOps.Bench/Determinism/results`. | Bench Guild - Signals Guild - Policy Guild (`bench/determinism`, `docs/benchmarks/signals/`) | Implemented cross-scanner determinism bench (shuffle/canonical), hashes outputs, summary JSON; CI workflow `.gitea/workflows/bench-determinism.yml` runs `scripts/bench/determinism-run.sh`; manifests generated. |
| 58 | DATASET-REACH-PUB-401-058 | DONE (2025-12-13) | Test corpus created: JSON schemas at `datasets/reachability/schema/`, 4 samples (csharp/simple-reachable, csharp/dead-code, java/vulnerable-log4j, native/stripped-elf) with ground-truth.json files; test harness at `src/Signals/__Tests/StellaOps.Signals.Tests/GroundTruth/` with 28 validation tests covering lattice states, buckets, uncertainty tiers, gate decisions, path consistency. | QA Guild - Scanner Guild (`tests/reachability/samples-public`, `docs/reachability/evidence-schema.md`) | Materialize PHP/JS/C# mini-app samples + ground-truth JSON (from 23-Nov dataset advisory); runners and confusion-matrix metrics; integrate into CI hot/cold paths with deterministic seeds; keep schema compatible with Signals ingest. |
| 59 | NATIVE-CALLGRAPH-INGEST-401-059 | DONE (2025-12-13) | richgraph-v1 alignment tests created at `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/Reachability/RichgraphV1AlignmentTests.cs` with 25 tests validating: SymbolID/EdgeID/RootID/UnknownID formats, SHA-256 digests, deterministic graph hashing, edge type mappings (PLT/InitArray/Indirect), synthetic root phases (load/init/main/fini), stripped binary name format, build-id handling, confidence levels. Fixed pre-existing PeImportParser test bug. | Scanner Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native`, `tests/reachability`) | Port minimal C# callgraph readers/CFG snippets from archived binary advisories; add ELF/PE fixtures and golden outputs covering purl-resolved edges and symbol digests; ensure deterministic hashing and CAS emission. |
@@ -104,7 +104,7 @@
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| 0401 Reachability Evidence Chain | Scanner Guild - Signals Guild - BE-Base Platform Guild - Policy Guild - UI/CLI Guilds - Docs Guild | Sprint 0140 Runtime & Signals; Sprint 0185 Replay Core; Sprint 0186 Scanner Record Mode; Sprint 0187 Evidence Locker & CLI Integration | DOING | Unblocked by CONTRACT-RICHGRAPH-V1-015 (`docs/contracts/richgraph-v1.md`). Schema frozen with BLAKE3 for graphs, SHA256 for symbols. |
| 0401 Reachability Evidence Chain | Scanner Guild - Signals Guild - BE-Base Platform Guild - Policy Guild - UI/CLI Guilds - Docs Guild | Sprint 0140 Runtime & Signals; Sprint 0185 Replay Core; Sprint 0186 Scanner Record Mode; Sprint 0187 Evidence Locker & CLI Integration | DONE | 66/66 tasks complete. Angular workspace bootstrapped (2025-12-14) with VEX Explain/Explorer components. Sprint complete and ready for handoff to 0402 polish. |
## Wave Detail Snapshots
- Single wave covering end-to-end reachability evidence; proceed once Sprint 0400 + upstream runtime/replay prerequisites land.
@@ -130,7 +130,7 @@
| 1 | Capture checkpoint dates after Sprint 0400 closure signal. | Planning | 2025-12-15 | DONE (2025-12-13) | Sprint 0400 archived sprint indicates closed (2025-12-11); checkpoints captured and reflected under Upcoming Checkpoints. |
| 2 | Confirm CAS hash alignment (BLAKE3 + sha256 addressing) across Scanner/Replay/Signals. | Platform Guild | 2025-12-10 | DONE (2025-12-10) | CONTRACT-RICHGRAPH-V1-015 adopted; BLAKE3 graph_hash live in Scanner/Replay per GRAPH-CAS-401-001. |
| 3 | Schedule richgraph-v1 schema/hash alignment and rebaseline sprint dates. | Planning - Platform Guild | 2025-12-15 | DONE (2025-12-12) | Rebaselined checkpoints post 2025-12-10 alignment; updated 2025-12-15/18 readiness reviews (see Execution Log 2025-12-12). |
| 4 | Signals ingestion/probe readiness checkpoint for tasks 8-10, 17-18. | Signals Guild - Planning | 2025-12-18 | TODO | Assess runtime ingestion/probe readiness and flip task statuses to DOING/BLOCKED accordingly. |
| 4 | Signals ingestion/probe readiness checkpoint for tasks 8-10, 17-18. | Signals Guild - Planning | 2025-12-18 | DONE (2025-12-14) | All Signals tasks (8-10, 17-18) completed; runtime ingestion, probes, scoring, and CAS storage operational. Sprint closed. |
## Decisions & Risks
- File renamed to `SPRINT_0401_0001_0001_reachability_evidence_chain.md` and normalized to template on 2025-11-22; scope unchanged.
@@ -153,6 +153,18 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-14 | **SPRINT COMPLETE** - 66/66 tasks DONE. Angular workspace bootstrapped unblocking Task 47 UI portion. Sprint 0401 complete and ready for handoff to Sprint 0402 polish phase. Deliverables: richgraph-v1 schema with BLAKE3 hashes, DSSE/Rekor attestation pipeline, Policy VEX emitter with reachability gates, CLI explain/verify commands, Angular UI with VEX Explain/Explorer components, benchmark automation, symbol bundles for air-gap, and comprehensive documentation across reachability/hybrid-attestation/uncertainty/binary schemas. | Planning |
| 2025-12-14 | Completed UI-VEX-401-032 (UI portion): Bootstrapped Angular 17 workspace at `src/UI/StellaOps.UI` with full module structure per `docs/modules/ui/architecture.md`. Created: (1) `VexExplainComponent` with call-path display, runtime hits table, attestation verify button, Rekor/DSSE pointers at `src/app/vex/vex-explain/vex-explain.component.ts`. (2) `VexExplorerComponent` with search and results table at `src/app/vex/vex-explorer/vex-explorer.component.ts`. (3) Core API models for Scanner/Policy/Excititor/Concelier/Attestor/Authority at `src/app/core/api/models.ts`. (4) Lazy-loaded feature routes: dashboard, scans, vex, triage, policy, runtime, attest, admin. (5) Tailwind CSS configuration with StellaOps design tokens. Build verified with `npm run build`. CLI portion was already complete. Task now fully DONE. | Implementer |
| 2025-12-14 | Completed UI-VEX-401-032 (CLI portion): Implemented `stella vex explain <vuln-id> --product-key <key>` command with options: `--call-paths`, `--runtime-hits`, `--graph`, `--dsse`, `--rekor`, `--verify`, `--offline`, `--json`. Created `VexExplainModels.cs` with VexDecisionExplanation, CallPathEvidence, RuntimeHitEvidence, ReachabilityGraphMetadata, DsseAttestationInfo, RekorEntryInfo models. Handler renders tree-based formatted output with Spectre.Console or JSON serialization. UI portion blocked on Angular workspace. | Implementer |
| 2025-12-14 | Completed SYMS-BUNDLE-401-014: Created `StellaOps.Symbols.Bundle` project with deterministic symbol bundle generation for air-gapped installations. Models: BundleManifest, BundleEntry, BundleSignature, RekorCheckpoint, InclusionProof. IBundleBuilder interface with BundleBuildOptions/BundleVerifyOptions/BundleExtractOptions/BundleBuildResult/BundleVerifyResult/BundleExtractResult records. CLI commands: `stella symbols bundle` (build deterministic ZIP with BLAKE3 hashes, sorted entries, optional DSSE signing and Rekor submission), `stella symbols verify` (integrity + signature + Rekor verification with offline mode), `stella symbols extract` (platform-filtered extraction), `stella symbols inspect` (bundle metadata display). Documentation at `docs/airgap/symbol-bundles.md` with full offline workflow guide. | Implementer |
| 2025-12-14 | Completed BENCH-AUTO-401-019: Created benchmark automation pipeline for populating `bench/findings/**` and computing FP/MTTD/repro metrics. Scripts: (1) `scripts/bench/populate-findings.py` - generates per-CVE VEX decision bundles from reachbench fixtures with evidence excerpts, SBOM stubs, OpenVEX decisions, DSSE envelope stubs, Rekor placeholders, and metadata. (2) `scripts/bench/compute-metrics.py` - computes TP/FP/TN/FN/precision/recall/F1/accuracy from findings. (3) `scripts/bench/run-baseline.sh` - orchestrator with --populate/--compute/--compare options. Tools: (4) `bench/tools/verify.sh` - online DSSE+Rekor verification. (5) `bench/tools/verify.py` - offline bundle verification. (6) `bench/tools/compare.py` - baseline scanner comparison. (7) `bench/tools/replay.sh` - replay manifest verification. Initial run: 10 findings from 5 cases (runc/linux-cgroups/glibc/curl/openssl), 100% accuracy (5 TP, 5 TN, 0 FP, 0 FN). Output: `bench/results/summary.csv`, `bench/results/metrics.json`. | Implementer |
| 2025-12-13 | Completed QA-CORPUS-401-031: Created reachability corpus CI workflow `.gitea/workflows/reachability-corpus-ci.yml` with 3 jobs: (1) validate-corpus - builds and runs CorpusFixtureTests + ReachbenchFixtureTests, verifies manifest/INDEX JSON validity, runs inline Python hash verification. (2) validate-ground-truths - validates schema_version=`reachbench.reachgraph.truth/v1`, variant∈{reachable,unreachable}, paths array structure for both corpus and reachbench fixtures. (3) determinism-check - verifies JSON files have sorted keys for deterministic hashing. Created runner scripts `scripts/reachability/run_all.sh` (bash) and `run_all.ps1` (PowerShell) with --filter, --verbosity, --configuration, --no-build options. Created hash verification script `scripts/reachability/verify_corpus_hashes.sh` using Python for cross-platform JSON parsing. CI triggers on push/PR to `tests/reachability/**`, `scripts/reachability/**`, workflow file. All 96 fixture tests passing (3 CorpusFixtureTests + 93 ReachbenchFixtureTests). Files: `.gitea/workflows/reachability-corpus-ci.yml`, `scripts/reachability/run_all.sh`, `scripts/reachability/run_all.ps1`, `scripts/reachability/verify_corpus_hashes.sh`. | Implementer |
| 2025-12-13 | Completed CLI-VEX-401-011: Implemented `stella decision export|verify|compare` CLI commands with DSSE/Rekor integration. Added `BuildDecisionCommand` to CommandFactory.cs with: (1) export subcommand (--tenant required, --scan-id, --vuln-id, --purl, --status filters, --format openvex/dsse/ndjson, --sign DSSE envelope, --rekor transparency submission, --include-evidence reachability blocks, --json metadata output), (2) verify subcommand (file argument, --digest expected hash, --rekor inclusion proof, --rekor-uuid, --public-key offline verification, --json output), (3) compare subcommand (base/target files, --output file, --format text/json/markdown, --show-unchanged, --summary-only). Added handler methods `HandleDecisionExportAsync`, `HandleDecisionVerifyAsync`, `HandleDecisionCompareAsync` to CommandHandlers.cs with VexStatementSummary extraction, status/justification diff tracking, and multi-format output. Created `DecisionModels.cs` with `DecisionExportRequest` (tenant, scan, filters, format, sign, rekor, evidence) and `DecisionExportResponse` (success, content, digest, rekor index/uuid, statement count). Added `ExportDecisionsAsync` to BackendOperationsClient calling `/api/v1/decisions/export` with response header parsing (X-VEX-Digest, X-VEX-Rekor-Index, X-VEX-Rekor-UUID, X-VEX-Statement-Count, X-VEX-Signed). Added CLI metrics counters `stellaops.cli.decision.{export,verify,compare}.count` with `RecordDecisionExport`, `RecordDecisionVerify`, `RecordDecisionCompare` methods. Files: `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs`, `CommandHandlers.cs`, `Services/Models/DecisionModels.cs`, `Services/BackendOperationsClient.cs`, `Telemetry/CliMetrics.cs`. | Implementer |
| 2025-12-13 | Completed POLICY-VEX-401-010: Implemented VexDecisionSigningService for DSSE envelope creation and Rekor submission. Created `IVexDecisionSigningService` interface with `SignAsync` (DSSE envelope creation with PAE encoding, SHA256 signature, evidence hash attachment) and `VerifyAsync` (payload type/signature validation, Rekor inclusion proof). Added supporting records: `VexSigningRequest`/`VexSigningResult`, `VexDsseEnvelope`/`VexDsseSignature`, `VexRekorMetadata`/`VexRekorInclusionProof`, `VexEvidenceReference`. Created client interfaces `IVexSignerClient`/`IVexRekorClient` for remote signing/transparency. Added `VexSigningOptions` configuration (UseSignerService, RekorEnabled, DefaultKeyId, RekorUrl, RekorTimeout) with `SectionName="VexSigning"`. Implementation supports local signing fallback when Signer service unavailable. Added telemetry counter `policy_vex_signing_total{success,rekor_submitted}` via `RecordVexSigning`. Added DI extensions `AddVexDecisionSigning`/`AddVexDecisionSigning(Action<VexSigningOptions>)`. Created 16 passing tests covering signing with remote/local fallback, Rekor submission, verification, options defaults, and predicate types. Files: `src/Policy/StellaOps.Policy.Engine/Vex/VexDecisionSigningService.cs`, `src/Policy/StellaOps.Policy.Engine/DependencyInjection/PolicyEngineServiceCollectionExtensions.cs`, `src/Policy/StellaOps.Policy.Engine/Telemetry/PolicyEngineTelemetry.cs`, `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Vex/VexDecisionSigningServiceTests.cs`. | Implementer |
| 2025-12-13 | Completed GAP-POL-005: Implemented Signals-backed reachability facts integration for Policy Engine. Created `IReachabilityFactsSignalsClient.cs` interface with HTTP client (`ReachabilityFactsSignalsClient.cs`) calling Signals endpoints (`GET /signals/facts/{subjectKey}`, `POST /signals/reachability/recompute`). Implemented `SignalsBackedReachabilityFactsStore.cs` implementing `IReachabilityFactsStore`, mapping Signals `SignalsReachabilityFactResponse` to Policy's `ReachabilityFact` model with: state determination logic (Reachable/Unreachable/Unknown/UnderInvestigation based on confidence thresholds), confidence aggregation from lattice states, analysis method detection (Static/Dynamic/Hybrid/Manual), and metadata extraction (callgraph_id, scan_id, image_digest, entry_points, uncertainty_tier, risk_score, unknowns_count, unknowns_pressure, call_paths, runtime_hits, lattice_states). Added DI extensions to `PolicyEngineServiceCollectionExtensions.cs`: `AddReachabilityFactsSignalsClient`, `AddSignalsBackedReachabilityFactsStore`, `AddReachabilityFactsSignalsIntegration`. Added Moq package to test project. Created 32 passing tests: `SignalsBackedReachabilityFactsStoreTests.cs` (19 tests for state mapping, metadata extraction, read-only behavior, batch operations) and `ReachabilityFactsSignalsClientTests.cs` (13 tests for HTTP operations, options, batch fetching). Files: `src/Policy/StellaOps.Policy.Engine/ReachabilityFacts/{IReachabilityFactsSignalsClient,ReachabilityFactsSignalsClient,SignalsBackedReachabilityFactsStore}.cs`, `src/Policy/StellaOps.Policy.Engine/DependencyInjection/PolicyEngineServiceCollectionExtensions.cs`, `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/ReachabilityFacts/{SignalsBackedReachabilityFactsStoreTests,ReachabilityFactsSignalsClientTests}.cs`. | Implementer |
| 2025-12-13 | Completed DOCS-HYBRID-401-056: Finalized hybrid attestation documentation at `docs/reachability/hybrid-attestation.md`. Removed TODO comments, updated implementation status table with completed components (edge-bundle DSSE, CAS publisher, ingestion, quarantine enforcement). Added Section 9 (Verification Runbook) with graph-only and graph+edge-bundle workflows, verification decision matrix. Added Section 10 (Rekor Guidance) covering what gets published, configuration, private mirrors, proof caching. Added Section 11 (Offline Replay Steps) with pack creation, verification, trust model, air-gapped deployment checklist. Added Section 12 (Release Notes) with version history and migration guide. Added Section 13 (Cross-References) to sprint/contracts/implementation/related docs. Updated `docs/07_HIGH_LEVEL_ARCHITECTURE.md` (line 23) with hybrid attestation doc reference. Updated `docs/modules/scanner/architecture.md` (section 5.6) and `docs/modules/policy/architecture.md` with cross-references. | Docs Guild |
| 2025-12-13 | Completed GAP-SIG-003: Implemented CAS-backed runtime-facts batch ingestion for `/signals/runtime-facts`. Created `IRuntimeFactsArtifactStore.cs` interface, `FileSystemRuntimeFactsArtifactStore.cs` filesystem implementation with CAS paths `cas://reachability/runtime-facts/{hash}`, `RuntimeFactsArtifactSaveRequest.cs` and `StoredRuntimeFactsArtifact.cs` models. Extended `RuntimeFactsIngestionService.cs` with `IngestBatchAsync` method supporting NDJSON/gzip streams, BLAKE3 hashing via `ICryptoHash`, subject grouping, and CAS URI linking. Updated `ReachabilityFactDocument.cs` with `RuntimeFactsBatchUri` and `RuntimeFactsBatchHash` fields. Added `RuntimeFactsBatchIngestResponse` record in `IRuntimeFactsIngestionService.cs`. Created `RuntimeFactsBatchIngestionTests.cs` with 6 passing tests covering NDJSON parsing, gzip decompression, subject grouping, CAS linking, invalid line handling, and optional artifact store. | Implementer |
| 2025-12-13 | Completed Task 55 (SIG-POL-HYBRID-401-055): Implemented edge-bundle ingestion in Signals with tenant isolation, revoked edge tracking, and quarantine enforcement. Created `EdgeBundleDocument.cs` models (EdgeBundleDocument, EdgeBundleEdgeDocument, EdgeBundleReference), `IEdgeBundleIngestionService.cs` interface, and `EdgeBundleIngestionService.cs` implementation. Updated `ReachabilityFactDocument.cs` with EdgeBundles and HasQuarantinedEdges fields. Added 8 passing tests in `EdgeBundleIngestionServiceTests.cs`. Unblocked Tasks 25, 46, 56. | Implementer |
| 2025-12-13 | Completed Tasks 3 and 54: (1) Task 3 SCAN-REACH-401-009: Implemented Java and .NET callgraph builders with reachability graph models. Created `JavaReachabilityGraph.cs` (JavaMethodNode, JavaCallEdge, JavaSyntheticRoot, JavaUnknown, JavaGraphMetadata, enums for edge types/root types/phases), `JavaCallgraphBuilder.cs` (JAR analysis, bytecode parsing, invoke* detection, synthetic root extraction). Created `DotNetReachabilityGraph.cs` (DotNetMethodNode, DotNetCallEdge, DotNetSyntheticRoot, DotNetUnknown, DotNetGraphMetadata, enums for IL edge types/root types/phases), `DotNetCallgraphBuilder.cs` (PE/metadata reader, IL opcode parsing for call/callvirt/newobj/ldftn, synthetic root detection for Main/cctor/ModuleInitializer/Controllers/Tests/AzureFunctions/Lambda). Both builders emit deterministic graph hashing. (2) Task 54 EDGE-BUNDLE-401-054: Implemented edge-bundle DSSE envelopes at `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/`. Created `EdgeBundle.cs` with EdgeBundleReason/EdgeReason enums, BundledEdge record, EdgeBundle/EdgeBundleBuilder/EdgeBundleExtractor classes (max 512 edges, canonical sorting). Created `EdgeBundlePublisher.cs` with IEdgeBundlePublisher interface, deterministic DSSE envelope generation, EdgeBundlePublisherOptions (Rekor cap=5). CAS paths: `cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse]`. Added `EdgeBundleTests.cs` with 19 tests. Unblocked Task 55 (SIG-POL-HYBRID-401-055). | Implementer |
| 2025-12-13 | Completed Tasks 4, 8, 50, 51: (1) Task 4 SCANNER-NATIVE-401-015: Created demangler infrastructure with `ISymbolDemangler`, `CompositeDemangler`, `ItaniumAbiDemangler`, `RustDemangler`, and `HeuristicDemangler` at `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Native/Internal/Demangle/`. (2) Task 8 SIGNALS-RUNTIME-401-002: Added `SignalsRetentionOptions`, extended `IReachabilityFactRepository` with retention methods, implemented `RuntimeFactsRetentionService` background cleanup, updated `ReachabilityFactCacheDecorator`. (3) Task 50 SCANNER-BUILDID-401-035: Added build-ID prefixes (`gnu-build-id:`, `macho-uuid:`) per CONTRACT-BUILDID-PROPAGATION-401 in `ElfReader.ExtractBuildId` and `NativeFormatDetector`. (4) Task 51 SCANNER-INITROOT-401-036: Added `NativeRootPhase` enum, extended `NativeSyntheticRoot`, updated `ComputeRootId` format per CONTRACT-INIT-ROOTS-401. Unblocked Task 3 (SCAN-REACH-401-009) and Task 54 (EDGE-BUNDLE-401-054). Tests: Signals 164/164 pass, Scanner Native 221/224 pass (3 pre-existing failures). | Implementer |
| 2025-12-13 | **Unblocked 4 tasks via contract/decision definitions:** (1) Task 4 SCANNER-NATIVE-401-015 → TODO: Created `docs/contracts/native-toolchain-decision.md` (DECISION-NATIVE-TOOLCHAIN-401) defining pure-C# ELF/PE/Mach-O parsers, per-language demanglers (Demangler.Net, Iced, Capstone.NET), pre-built test fixtures, and callgraph extraction methods. (2) Task 8 SIGNALS-RUNTIME-401-002 → TODO: Identified dependencies already complete (CONTRACT-RICHGRAPH-V1-015 adopted 2025-12-10, Task 19 GAP-REP-004 done 2025-12-13). (3) Task 50 SCANNER-BUILDID-401-035 → TODO: Created `docs/contracts/buildid-propagation.md` (CONTRACT-BUILDID-PROPAGATION-401) defining build-id formats (ELF/PE/Mach-O), code_id for stripped binaries, cross-RID variant mapping, SBOM/Signals integration. (4) Task 51 SCANNER-INITROOT-401-036 → TODO: Created `docs/contracts/init-section-roots.md` (CONTRACT-INIT-ROOTS-401) defining synthetic root phases (preinit/init/main/fini), init_array/ctors handling, DT_NEEDED deps, patch-oracle integration. These unblock cascading dependencies: Task 4 → Task 3; Tasks 50/51 → Task 54 → Task 55 → Tasks 16/25/56. | Implementer |
@@ -166,6 +178,7 @@
| 2025-12-13 | Started SIG-STORE-401-016 and UNCERTAINTY-SCORER-401-025: implementing reachability store collections/indexes + repository APIs and entropy-aware risk scoring in `src/Signals/StellaOps.Signals`. | Implementer |
| 2025-12-13 | Completed GAP-REP-004: Implemented replay manifest v2 in `src/__Libraries/StellaOps.Replay.Core`. (1) Added `hash` field with algorithm prefix (blake3:..., sha256:...) to ReplayManifest.cs. (2) Added `code_id_coverage` section for stripped binary handling. (3) Created `ICasValidator` interface and `InMemoryCasValidator` for CAS reference validation. (4) Created `ReplayManifestValidator` with error codes per acceptance contract (MISSING_VERSION, VERSION_MISMATCH, MISSING_HASH_ALG, UNSORTED_ENTRIES, CAS_NOT_FOUND, HASH_MISMATCH). (5) Added `UpgradeToV2` migration helper. (6) Added 18 tests covering all v2 acceptance vectors. Also unblocked Task 18 (SIG-STORE-401-016). | Implementer |
| 2025-12-13 | Unblocked tasks 19/26/39/53/60: (1) Created `docs/replay/replay-manifest-v2-acceptance.md` with acceptance vectors, CAS registration gates, test fixtures, and migration path for Task 19. (2) Updated `bench/README.md` with verification workflows, artifact contracts, and CI integration for Task 26 (DONE). (3) Frozen section 8 of `docs/reachability/hybrid-attestation.md` with DSSE/Rekor budget by tier, CAS signing layout, CLI UX, and golden fixture plan for Task 53. (4) Marked Tasks 39 and 60 as TODO since their dependencies (38 and 58) are complete. | Docs Guild |
| 2025-12-13 | Completed POLICY-VEX-401-006: Implemented VexDecisionEmitter consuming reachability facts and emitting OpenVEX documents. Created `VexDecisionModels.cs` (VexDecisionDocument, VexStatement, VexEvidenceBlock, etc.), `VexDecisionEmitter.cs` (IVexDecisionEmitter interface + implementation with fact-to-VEX status mapping, lattice state bucketing CU/CR/SU/SR/etc., gate evaluation via PolicyGateEvaluator), added telemetry counter `policy_vex_decisions_total`, registered services in DI, and wrote 10 passing tests. Unblocked tasks 14, 23. | Policy Guild |
| 2025-12-13 | Completed BINARY-GAPS-401-066: Created `docs/reachability/binary-reachability-schema.md` addressing all 10 binary reachability gaps (BR1-BR10) from November 2025 product findings. Document specifies: DSSE predicates (`stella.ops/binaryGraph@v1`, `stella.ops/binaryEdgeBundle@v1`), edge hash recipe with binary_hash context, required evidence table with CAS refs, build-id/variant rules for ELF/PE/Mach-O, policy hash governance with binding modes, Sigstore routing with offline mode, idempotent submission keys, size/chunking limits, API/CLI/UI guidance, and binary fixture requirements with test categories. | Docs Guild |
| 2025-12-13 | Completed tasks 37/38/48/58/59: implemented reachability lattice + uncertainty tiers + policy gate evaluator, published ground-truth schema/tests, and added richgraph-v1 native alignment tests; docs synced (`docs/reachability/lattice.md`, `docs/uncertainty/README.md`, `docs/reachability/policy-gate.md`, `docs/reachability/ground-truth-schema.md`, `docs/modules/scanner/design/native-reachability-plan.md`). | Implementer |
| 2025-12-13 | Regenerated deterministic reachbench/corpus manifest hashes with offline scripts (`tests/reachability/fixtures/reachbench-2025-expanded/harness/update_variant_manifests.py`, `tests/reachability/corpus/update_manifest.py`) and verified reachability test suites (Policy Engine, Scanner Reachability, FixtureTests, Signals Reachability, ScannerSignals Integration) passing. | Implementer |

147
docs/implplan/SPRINT_0420_0001_0001_zastava_hybrid_gaps.md Normal file
View File

@@ -0,0 +1,147 @@
# Sprint 0420.0001.0001 - Zastava Hybrid Scanner Gaps
## Topic & Scope
- Window: 2025-12-14 -> 2025-01-15 (UTC); implement critical gaps for Zastava on-premise hybrid vulnerability scanner
- Add Windows container support for full platform coverage
- Create VM/bare-metal deployment path for non-Kubernetes customers
- Enable runtime-static reconciliation for hybrid scanning value proposition
- **Working directory:** `src/Zastava/`, `src/Scanner/`, `src/Signals/`
## Dependencies & Concurrency
- Upstream: Zastava Wave 0 COMPLETE (Observer, Webhook, Core all DONE as of 2025-10-25)
- Upstream: Scanner RuntimeEndpoints API exists (`/api/v1/scanner/runtime/events`)
- T1-T4 can be parallelized across guilds
- T10 (Windows) depends on T3 (Agent wrapper) for shared abstractions
## Documentation Prerequisites
- docs/modules/zastava/architecture.md
- docs/modules/zastava/AGENTS.md
- docs/modules/scanner/design/runtime-alignment-scanner-zastava.md
- docs/modules/scanner/design/runtime-parity-plan.md
- docs/reachability/hybrid-attestation.md
## Delivery Tracker
### T1: Runtime-Static Reconciliation (Gap 1 - CRITICAL)
**Problem:** No mechanism to compare SBOM inventory against runtime-observed libraries.
**Impact:** Cannot detect false negatives (libraries loaded at runtime but missing from static scan).
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | MR-T1.1 | DONE | None | Scanner Guild | Implement `RuntimeInventoryReconciler` service comparing SBOM components vs loaded DSOs by sha256 hash |
| 2 | MR-T1.2 | DONE | MR-T1.1 | Scanner Guild | Add `POST /api/v1/scanner/runtime/reconcile` endpoint accepting image digest + runtime event ID |
| 3 | MR-T1.3 | DONE | MR-T1.2 | Scanner Guild | Surface match/miss Prometheus metrics: `scanner_runtime_reconcile_matches_total`, `scanner_runtime_reconcile_misses_total` |
| 4 | MR-T1.4 | TODO | MR-T1.3 | Scanner Guild | Add integration tests for reconciliation with mock SBOM and runtime events |
**Location:** `src/Scanner/StellaOps.Scanner.WebService/Services/RuntimeInventoryReconciler.cs`
### T2: Delta Scan Auto-Trigger (Gap 2 - CRITICAL)
**Problem:** When Zastava detects baseline drift (new binaries, changed files), no auto-scan is triggered.
**Impact:** Runtime drift goes unscanned until manual intervention.
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 5 | MR-T2.1 | DONE | None | Scanner Guild | Implement `DeltaScanRequestHandler` in Scanner.WebService that creates scan jobs from DRIFT events |
| 6 | MR-T2.2 | DONE | MR-T2.1 | Scanner Guild | Wire RuntimeEventIngestionService to detect `kind=DRIFT` and invoke DeltaScanRequestHandler |
| 7 | MR-T2.3 | DONE | MR-T2.2 | Scanner Guild | Add `scanner.runtime.autoscan.enabled` feature flag (default: false) in ScannerOptions |
| 8 | MR-T2.4 | DONE | MR-T2.3 | Scanner Guild | Add telemetry: `scanner_delta_scan_triggered_total`, `scanner_delta_scan_skipped_total` |
**Location:** `src/Scanner/StellaOps.Scanner.WebService/Services/DeltaScanRequestHandler.cs`
### T3: VM/Bare-Metal Deployment (Gap 3 - CRITICAL)
**Problem:** Agent mode for non-Kubernetes exists but lacks deployment playbooks and unified configuration.
**Impact:** On-premise Docker/VM customers have no supported deployment path.
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 9 | MR-T3.1 | DONE | None | Zastava Guild | Create `StellaOps.Zastava.Agent` project as host service wrapper with Generic Host |
| 10 | MR-T3.2 | DONE | MR-T3.1 | Zastava Guild | Implement Docker socket event listener as alternative to CRI polling |
| 11 | MR-T3.3 | DONE | MR-T3.1 | Zastava Guild | Create systemd service unit template (`zastava-agent.service`) |
| 12 | MR-T3.4 | TODO | MR-T3.3 | Ops Guild | Create Ansible playbook for VM deployment (`deploy/ansible/zastava-agent.yml`) |
| 13 | MR-T3.5 | TODO | MR-T3.4 | Docs Guild | Document Docker socket permissions, log paths, health check configuration |
| 14 | MR-T3.6 | TODO | MR-T3.5 | Zastava Guild | Add health check endpoints for non-K8s monitoring (`/healthz`, `/readyz`) |
**Location:** `src/Zastava/StellaOps.Zastava.Agent/`
### T4: Proc Snapshot Schema (Gap 4 - CRITICAL)
**Problem:** Java/.NET/PHP runtime parity requires proc snapshot data, but schema not finalized.
**Impact:** Cannot reconcile JVM classpath, .NET .deps.json, or PHP autoload with static analysis.
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 15 | MR-T4.1 | DONE | None | Signals Guild | Define `ProcSnapshotDocument` schema with fields: pid, image_digest, classpath[], loaded_assemblies[], autoload_paths[] |
| 16 | MR-T4.2 | DONE | MR-T4.1 | Signals Guild | Add `IProcSnapshotRepository` interface and in-memory implementation |
| 17 | MR-T4.3 | TODO | MR-T4.2 | Scanner Guild | Implement Java jar/classpath runtime collector via `/proc/<pid>/cmdline` and `jcmd` |
| 18 | MR-T4.4 | TODO | MR-T4.2 | Scanner Guild | Implement .NET RID-graph runtime collector via `/proc/<pid>/maps` and deps.json discovery |
| 19 | MR-T4.5 | TODO | MR-T4.2 | Scanner Guild | Implement PHP composer autoload runtime collector via `vendor/autoload.php` analysis |
| 20 | MR-T4.6 | TODO | MR-T4.3-5 | Zastava Guild | Wire proc snapshot collectors into Observer's RuntimeProcessCollector |
**Location:** `src/Signals/StellaOps.Signals/ProcSnapshot/`, `src/Zastava/StellaOps.Zastava.Observer/Runtime/`
### T10: Windows Container Support (Gap 10 - HIGH)
**Problem:** ETW providers planned but not implemented.
**Impact:** No Windows container observability.
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 21 | MR-T10.1 | DONE | MR-T3.1 | Zastava Guild | Implement `EtwEventSource` for Windows container lifecycle events |
| 22 | MR-T10.2 | DONE | MR-T10.1 | Zastava Guild | Add Windows entrypoint tracing via `CreateProcess` instrumentation or ETW |
| 23 | MR-T10.3 | DONE | MR-T10.2 | Zastava Guild | Implement Windows-specific library hash collection (PE format) |
| 24 | MR-T10.4 | TODO | MR-T10.3 | Docs Guild | Create Windows deployment documentation (`docs/modules/zastava/operations/windows.md`) |
| 25 | MR-T10.5 | TODO | MR-T10.4 | QA Guild | Add Windows integration tests with Testcontainers (Windows Server Core) |
**Location:** `src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Windows/`
## Phase 3: Supporting Gaps (If Time Permits)
### T5: Export Center Combined Stream (Gap 5)
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 26 | MR-T5.1 | TODO | T1-T4 | Export Guild | Implement combined `scanner.entrytrace.ndjson` + `zastava.runtime.ndjson` serializer |
| 27 | MR-T5.2 | TODO | MR-T5.1 | Export Guild | Add offline kit path validation script |
| 28 | MR-T5.3 | TODO | MR-T5.2 | Export Guild | Update `kit/verify.sh` for combined format |
### T6: Per-Workload Rate Limiting (Gap 6)
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 29 | MR-T6.1 | TODO | None | Scanner Guild | Add workload-level rate limit configuration to RuntimeIngestionOptions |
| 30 | MR-T6.2 | TODO | MR-T6.1 | Scanner Guild | Implement hierarchical budget allocation (tenant → namespace → workload) |
### T7: Sealed-Mode Enforcement (Gap 7)
| # | Task ID | Status | Key dependency | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 31 | MR-T7.1 | TODO | None | Zastava Guild | Add `zastava.offline.strict` mode that fails on any network call |
| 32 | MR-T7.2 | TODO | MR-T7.1 | Zastava Guild | Implement startup validation for Surface.FS cache availability |
| 33 | MR-T7.3 | TODO | MR-T7.2 | QA Guild | Add integration test for offline-only operation |
## Current Implementation Status
| Component | Pre-Sprint Status | Evidence |
|-----------|-------------------|----------|
| Zastava.Core | DONE | Runtime event/admission DTOs, hashing, OpTok auth |
| Zastava.Observer | DONE | CRI polling, entrypoint tracing, library sampling, disk buffer |
| Zastava.Webhook | DONE | Admission controller, TLS bootstrap, policy caching |
| Scanner RuntimeEndpoints | DONE | `/api/v1/scanner/runtime/events` exists |
| Runtime-Static Reconciliation | NOT STARTED | Gap 1 - this sprint |
| Delta Scan Trigger | NOT STARTED | Gap 2 - this sprint |
| VM/Agent Deployment | PARTIAL | Observer exists, Agent wrapper needed |
| Windows Support | NOT STARTED | Gap 10 - this sprint |
## Decisions & Risks
| Risk | Impact | Mitigation |
| --- | --- | --- |
| CRI vs Docker socket abstraction complexity | Agent may have different event semantics | Implement common `IContainerRuntimeClient` interface |
| Windows ETW complexity | Long lead time for ETW provider | Start with HCS (Host Compute Service) API first, ETW optional |
| Proc snapshot data volume | Large payload for Java/PHP with many dependencies | Implement sampling/truncation with configurable limits |
| Delta scan storms | DRIFT events could trigger many scans | Add cooldown period and deduplication window |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-14 | Sprint created from gap analysis. 5 critical gaps + Windows support in scope. Total 33 tasks across 6 work streams. | Infrastructure Guild |
| 2025-12-14 | T1.1-T1.3 DONE: Implemented RuntimeInventoryReconciler service with /reconcile endpoint and Prometheus metrics. Added GetByEventIdAsync and GetByImageDigestAsync to RuntimeEventRepository. | Scanner Guild |
| 2025-12-14 | T2.1-T2.4 DONE: Implemented DeltaScanRequestHandler service with auto-scan on DRIFT events. Added AutoScanEnabled and AutoScanCooldownSeconds to RuntimeOptions. Wired into RuntimeEventIngestionService with deduplication and cooldown. | Scanner Guild |
| 2025-12-14 | T3.1-T3.3 DONE: Created StellaOps.Zastava.Agent project with Generic Host, Docker socket event listener (DockerSocketClient, DockerEventHostedService), RuntimeEventBuffer, RuntimeEventDispatchService, and systemd service template (deploy/systemd/zastava-agent.service). | Zastava Guild |
| 2025-12-14 | T4.1-T4.2 DONE: Defined ProcSnapshotDocument schema with ClasspathEntry (Java), LoadedAssemblyEntry (.NET), AutoloadPathEntry (PHP). Added IProcSnapshotRepository interface and InMemoryProcSnapshotRepository implementation. | Signals Guild |
| 2025-12-14 | T10.1-T10.3 DONE: Implemented Windows container runtime support. Added IWindowsContainerRuntimeClient interface, DockerWindowsRuntimeClient (Docker over named pipe), WindowsContainerInfo/Event models, and WindowsLibraryHashCollector for PE format library hashing. | Zastava Guild |

12
docs/implplan/SPRINT_0503_0001_0001_ops_devops_i.md
View File

@@ -33,9 +33,9 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
| DEVOPS-AIRGAP-57-002 | BLOCKED (2025-11-18) | Waiting on upstream DEVOPS-AIRGAP-57-001 (mirror bundle automation) to provide artifacts/endpoints for sealed-mode CI; no sealed fixtures available to exercise tests. | DevOps Guild, Authority Guild (ops/devops) |
| DEVOPS-AIRGAP-58-001 | DONE (2025-11-30) | Provide local SMTP/syslog container templates and health checks for sealed environments; integrate into Bootstrap Pack. Dependencies: DEVOPS-AIRGAP-57-002. | DevOps Guild, Notifications Guild (ops/devops) |
| DEVOPS-AIRGAP-58-002 | DONE (2025-11-30) | Ship sealed-mode observability stack (Prometheus/Grafana/Tempo/Loki) pre-configured with offline dashboards and no remote exporters. Dependencies: DEVOPS-AIRGAP-58-001. | DevOps Guild, Observability Guild (ops/devops) |
| DEVOPS-AOC-19-001 | BLOCKED (2025-10-26) | Integrate the AOC Roslyn analyzer and guard tests into CI, failing builds when ingestion projects attempt banned writes. | DevOps Guild, Platform Guild (ops/devops) |
| DEVOPS-AOC-19-002 | BLOCKED (2025-10-26) | Add pipeline stage executing `stella aoc verify --since` against seeded Mongo snapshots for Concelier + Excititor, publishing violation report artefacts. Dependencies: DEVOPS-AOC-19-001. | DevOps Guild (ops/devops) |
| DEVOPS-AOC-19-003 | BLOCKED (2025-10-26) | Enforce unit test coverage thresholds for AOC guard suites and ensure coverage exported to dashboards. Dependencies: DEVOPS-AOC-19-002. | DevOps Guild, QA Guild (ops/devops) |
| DEVOPS-AOC-19-001 | DONE (2025-12-14) | Integrate the AOC Roslyn analyzer and guard tests into CI, failing builds when ingestion projects attempt banned writes. Created `StellaOps.Aoc.Analyzers` Roslyn analyzer project with AOC0001 (forbidden field), AOC0002 (derived field), AOC0003 (unguarded write) rules. All 20 analyzer tests pass. | DevOps Guild, Platform Guild (ops/devops) |
| DEVOPS-AOC-19-002 | DONE (2025-12-14) | Add pipeline stage executing `stella aoc verify --since` against seeded PostgreSQL/Mongo databases for Concelier + Excititor, publishing violation report artefacts. Created `StellaOps.Aoc.Cli` with verify command supporting `--since`, `--postgres`, `--mongo`, `--output`, `--ndjson`, `--dry-run` flags. Updated `aoc-guard.yml` workflow with PostgreSQL support. 9 CLI tests pass. | DevOps Guild (ops/devops) |
| DEVOPS-AOC-19-003 | DONE (2025-12-14) | Enforce unit test coverage thresholds for AOC guard suites and ensure coverage exported to dashboards. Created `aoc.runsettings` with 70% line / 60% branch thresholds. Updated CI workflow with coverage collection using coverlet and reportgenerator for HTML/Cobertura reports. | DevOps Guild, QA Guild (ops/devops) |
| DEVOPS-AOC-19-101 | DONE (2025-12-01) | Draft supersedes backfill rollout (freeze window, dry-run steps, rollback) once advisory_raw idempotency index passes staging verification. Dependencies: DEVOPS-AOC-19-003. | DevOps Guild, Concelier Storage Guild (ops/devops) |
| DEVOPS-ATTEST-73-001 | DONE (2025-11-30) | Provision CI pipelines for attestor service (lint/test/security scan, seed data) and manage secrets for KMS drivers. | DevOps Guild, Attestor Service Guild (ops/devops) |
| DEVOPS-ATTEST-73-002 | DONE (2025-11-30) | Establish secure storage for signing keys (vault integration, rotation schedule) and audit logging. Dependencies: DEVOPS-ATTEST-73-001. | DevOps Guild, KMS Guild (ops/devops) |
@@ -47,7 +47,7 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
| DEVOPS-STORE-AOC-19-005-REL | BLOCKED | Release/offline-kit packaging for Concelier backfill; waiting on dataset hash + dev rehearsal. | DevOps Guild, Concelier Storage Guild (ops/devops) |
| DEVOPS-CONCELIER-CI-24-101 | DONE (2025-11-25) | Provide clean CI runner + warmed NuGet cache + vstest harness for Concelier WebService & Storage; deliver TRX/binlogs and unblock CONCELIER-GRAPH-24-101/28-102 and LNM-21-004..203. | DevOps Guild, Concelier Core Guild (ops/devops) |
| DEVOPS-SCANNER-CI-11-001 | DONE (2025-11-30) | Supply warmed cache/diag runner for Scanner analyzers (LANG-11-001, JAVA 21-005/008) with binlogs + TRX; unblock restore/test hangs. | DevOps Guild, Scanner EPDR Guild (ops/devops) |
| SCANNER-ANALYZERS-LANG-11-001 | TODO | Entrypoint resolver mapping project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles; output normalized `entrypoints[]` with deterministic IDs. Depends on DEVOPS-SCANNER-CI-11-001 runner. Design doc: `docs/modules/scanner/design/dotnet-analyzer-11-001.md`. Moved from SPRINT_0131. | StellaOps.Scanner EPDR Guild · Language Analyzer Guild (src/Scanner) |
| SCANNER-ANALYZERS-LANG-11-001 | DONE (2025-12-14) | Entrypoint resolver mapping project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles; output normalized `entrypoints[]` with deterministic IDs. Enhanced `DotNetEntrypointResolver.cs` with: MVID extraction from PE metadata, SHA-256 hash computation, host kind (apphost/framework-dependent/self-contained), publish mode (normal/single-file/trimmed), ALC hints from runtimeconfig.dev.json, probing paths, native dependencies. All 179 .NET analyzer tests pass. | StellaOps.Scanner EPDR Guild · Language Analyzer Guild (src/Scanner) |
| DEVOPS-SCANNER-JAVA-21-011-REL | DONE (2025-12-01) | Package/sign Java analyzer plug-in once dev task 21-011 delivers; publish to Offline Kit/CLI release pipelines with provenance. | DevOps Guild, Scanner Release Guild (ops/devops) |
| DEVOPS-SBOM-23-001 | DONE (2025-11-30) | Publish vetted offline NuGet feed + CI recipe for SbomService; prove with `dotnet test` run and share cache hashes; unblock SBOM-CONSOLE-23-001/002. | DevOps Guild, SBOM Service Guild (ops/devops) |
| FEED-REMEDIATION-1001 | TODO (2025-12-07) | Ready to execute remediation scope/runbook for overdue feeds (CCCS/CERTBUND) using ICS/KISA SOP v0.2 (`docs/modules/concelier/feeds/icscisa-kisa.md`); schedule first rerun by 2025-12-10. | Concelier Feed Owners (ops/devops) |
@@ -56,6 +56,10 @@ Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - A
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-14 | Completed DEVOPS-AOC-19-003: Added coverage threshold configuration in `src/Aoc/aoc.runsettings` (70% line, 60% branch). Updated `aoc-guard.yml` CI workflow with coverage collection using XPlat Code Coverage (coverlet) and reportgenerator for HTML/Cobertura reports. Coverage artifacts now uploaded to CI. | Implementer |
| 2025-12-14 | Completed DEVOPS-AOC-19-002: Created `src/Aoc/StellaOps.Aoc.Cli/` CLI project implementing `verify` command per workflow requirements. Features: `--since` (git SHA or timestamp), `--postgres` (preferred), `--mongo` (legacy), `--output`/`--ndjson` reports, `--dry-run`, `--verbose`, `--tenant` filter. Created `AocVerificationService` querying `concelier.advisory_raw` and `excititor.vex_documents` tables. Updated `aoc-guard.yml` to prefer PostgreSQL and fall back to MongoDB with dry-run if neither is configured. Added test project `StellaOps.Aoc.Cli.Tests` with 9 passing tests. | Implementer |
| 2025-12-14 | Completed DEVOPS-AOC-19-001: Created `StellaOps.Aoc.Analyzers` Roslyn source analyzer in `src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/`. Implements: (1) AOC0001 - forbidden field write detection (severity, cvss, etc.), (2) AOC0002 - derived field write detection (effective_* prefix), (3) AOC0003 - unguarded database write detection. Analyzer enforces AOC contracts at compile-time for Connector/Ingestion namespaces. Created test project `src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/` with 20 passing tests. CI workflow `aoc-guard.yml` already references the analyzer paths. | Implementer |
| 2025-12-14 | Completed SCANNER-ANALYZERS-LANG-11-001: Enhanced `DotNetEntrypointResolver.cs` per design doc requirements. Added: (1) MVID extraction from PE metadata via `System.Reflection.Metadata`, (2) SHA-256 hash computation over assembly bytes, (3) `DotNetHostKind` enum (Unknown/Apphost/FrameworkDependent/SelfContained), (4) `DotNetPublishMode` enum (Normal/SingleFile/Trimmed) using `SingleFileAppDetector`, (5) ALC hints collection from `runtimeconfig.dev.json`, (6) probing paths from dev config, (7) native dependencies for single-file bundles. Updated `DotNetEntrypoint` record with 16 fields: Id, Name, AssemblyName, Mvid, TargetFrameworks, RuntimeIdentifiers, HostKind, PublishKind, PublishMode, AlcHints, ProbingPaths, NativeDependencies, Hash, FileSizeBytes, RelativeDepsPath, RelativeRuntimeConfigPath, RelativeAssemblyPath, RelativeApphostPath. All 179 .NET analyzer tests pass. | Implementer |
| 2025-12-10 | Moved SCANNER-ANALYZERS-LANG-11-001 from SPRINT_0131 (archived) to this sprint after DEVOPS-SCANNER-CI-11-001; task depends on CI runner availability. Design doc at `docs/modules/scanner/design/dotnet-analyzer-11-001.md`. | Project Mgmt |
| 2025-12-08 | Configured feed runner defaults for on-prem: `FEED_GATEWAY_HOST`/`FEED_GATEWAY_SCHEME` now default to `concelier-webservice` (Docker network DNS) so CI hits local mirror by default; `fetch.log` records the resolved URLs when defaults are used; external URLs remain overrideable via `ICSCISA_FEED_URL`/`KISA_FEED_URL`. | DevOps |
| 2025-12-08 | Added weekly CI pipeline `.gitea/workflows/icscisa-kisa-refresh.yml` (Mon 02:00 UTC + manual) running `scripts/feeds/run_icscisa_kisa_refresh.py`; uploads `icscisa-kisa-<YYYYMMDD>` artefact with advisories/delta/log/hashes. | DevOps |

0
docs/implplan/SPRINT_0410_0001_0001_entrypoint_detection_reengineering_program.md → docs/implplan/archived/SPRINT_0410_0001_0001_entrypoint_detection_reengineering_program.md
View File

76
docs/implplan/SPRINT_3412_0001_0001_postgres_durability_phase2.md → docs/implplan/archived/SPRINT_3412_0001_0001_postgres_durability_phase2.md
View File

@@ -67,7 +67,7 @@ Each new Postgres repository MUST:
| 4 | MR-T12.0.4 | DONE | None | Excititor Guild | Implement `PostgresVexTimelineEventStore` (IVexTimelineEventStore - no impl exists) |
| 5 | MR-T12.0.5 | DONE | MR-T12.0.1-4 | Excititor Guild | Add vex schema migrations for provider, observation, attestation, timeline tables |
| 6 | MR-T12.0.6 | DONE | MR-T12.0.5 | Excititor Guild | Update DI in ServiceCollectionExtensions to use Postgres stores by default |
| 7 | MR-T12.0.7 | TODO | MR-T12.0.6 | Excititor Guild | Add integration tests with PostgresIntegrationFixture |
| 7 | MR-T12.0.7 | DONE | MR-T12.0.6 | Excititor Guild | Add integration tests with PostgresIntegrationFixture |
### T12.1: AirGap.Controller PostgreSQL Storage (HIGH PRIORITY)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
@@ -75,7 +75,7 @@ Each new Postgres repository MUST:
| 1 | MR-T12.1.1 | DONE | None | AirGap Guild | Design airgap.state PostgreSQL schema and migration |
| 2 | MR-T12.1.2 | DONE | MR-T12.1.1 | AirGap Guild | Implement `PostgresAirGapStateStore` repository |
| 3 | MR-T12.1.3 | DONE | MR-T12.1.2 | AirGap Guild | Wire DI for Postgres storage, update ServiceCollectionExtensions |
| 4 | MR-T12.1.4 | TODO | MR-T12.1.3 | AirGap Guild | Add integration tests with Testcontainers |
| 4 | MR-T12.1.4 | DONE | MR-T12.1.3 | AirGap Guild | Add integration tests with Testcontainers |
### T12.2: TaskRunner PostgreSQL Storage (HIGH PRIORITY)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
@@ -83,52 +83,53 @@ Each new Postgres repository MUST:
| 5 | MR-T12.2.1 | DONE | None | TaskRunner Guild | Design taskrunner schema and migration (state, approvals, logs, evidence) |
| 6 | MR-T12.2.2 | DONE | MR-T12.2.1 | TaskRunner Guild | Implement Postgres repositories (PackRunStateStore, PackRunApprovalStore, PackRunLogStore, PackRunEvidenceStore) |
| 7 | MR-T12.2.3 | DONE | MR-T12.2.2 | TaskRunner Guild | Wire DI for Postgres storage, create ServiceCollectionExtensions |
| 8 | MR-T12.2.4 | TODO | MR-T12.2.3 | TaskRunner Guild | Add integration tests with Testcontainers |
| 8 | MR-T12.2.4 | DONE | MR-T12.2.3 | TaskRunner Guild | Add integration tests with Testcontainers |
### T12.3: Notify Missing Repositories
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 9 | MR-T12.3.1 | TODO | None | Notifier Guild | Implement `PackApprovalRepository` with Postgres backing |
| 10 | MR-T12.3.2 | TODO | None | Notifier Guild | Implement `ThrottleConfigRepository` with Postgres backing |
| 11 | MR-T12.3.3 | TODO | None | Notifier Guild | Implement `OperatorOverrideRepository` with Postgres backing |
| 12 | MR-T12.3.4 | TODO | None | Notifier Guild | Implement `LocalizationRepository` with Postgres backing |
| 13 | MR-T12.3.5 | TODO | MR-T12.3.1-4 | Notifier Guild | Wire Postgres repos in DI, replace in-memory implementations |
| 9 | MR-T12.3.1 | SKIPPED | None | Notifier Guild | `PackApprovalRepository` - no model exists in codebase |
| 10 | MR-T12.3.2 | DONE | None | Notifier Guild | Implement `ThrottleConfigRepository` with Postgres backing |
| 11 | MR-T12.3.3 | DONE | None | Notifier Guild | Implement `OperatorOverrideRepository` with Postgres backing |
| 12 | MR-T12.3.4 | DONE | None | Notifier Guild | Implement `LocalizationBundleRepository` with Postgres backing |
| 13 | MR-T12.3.5 | DONE | MR-T12.3.2-4 | Notifier Guild | Wire Postgres repos in DI via ServiceCollectionExtensions |
### T12.4: Signals PostgreSQL Storage
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 14 | MR-T12.4.1 | TODO | None | Signals Guild | Design signals schema (callgraphs, reachability_facts, unknowns) |
| 15 | MR-T12.4.2 | TODO | MR-T12.4.1 | Signals Guild | Implement Postgres callgraph repository |
| 16 | MR-T12.4.3 | TODO | MR-T12.4.1 | Signals Guild | Implement Postgres reachability facts repository |
| 17 | MR-T12.4.4 | TODO | MR-T12.4.2-3 | Signals Guild | Replace in-memory persistence in storage layer |
| 18 | MR-T12.4.5 | TODO | MR-T12.4.4 | Signals Guild | Add integration tests with Testcontainers |
| 14 | MR-T12.4.1 | DONE | None | Signals Guild | Design signals schema (callgraphs, reachability_facts, unknowns, func_nodes, call_edges, cve_func_hits) |
| 15 | MR-T12.4.2 | DONE | MR-T12.4.1 | Signals Guild | Implement Postgres repositories (PostgresCallgraphRepository, PostgresReachabilityFactRepository, PostgresUnknownsRepository, PostgresReachabilityStoreRepository) |
| 16 | MR-T12.4.3 | DONE | MR-T12.4.1 | Signals Guild | Create SignalsDataSource and ServiceCollectionExtensions |
| 17 | MR-T12.4.4 | DONE | MR-T12.4.2-3 | Signals Guild | Build verified with no errors |
| 18 | MR-T12.4.5 | DONE | MR-T12.4.4 | Signals Guild | Add integration tests with Testcontainers |
### T12.5: Graph.Indexer PostgreSQL Storage
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 19 | MR-T12.5.1 | TODO | None | Graph Guild | Design graph schema (nodes, edges, snapshots, change_feeds) |
| 20 | MR-T12.5.2 | TODO | MR-T12.5.1 | Graph Guild | Implement Postgres graph writer repository |
| 21 | MR-T12.5.3 | TODO | MR-T12.5.1 | Graph Guild | Implement Postgres snapshot store |
| 22 | MR-T12.5.4 | TODO | MR-T12.5.2-3 | Graph Guild | Replace in-memory implementations |
| 23 | MR-T12.5.5 | TODO | MR-T12.5.4 | Graph Guild | Fix GraphAnalyticsEngine determinism test failures |
| 24 | MR-T12.5.6 | TODO | MR-T12.5.4 | Graph Guild | Fix GraphSnapshotBuilder determinism test failures |
| 19 | MR-T12.5.1 | DONE | None | Graph Guild | Design graph schema (idempotency_tokens, pending_snapshots, cluster_assignments, centrality_scores, graph_nodes, graph_edges) |
| 20 | MR-T12.5.2 | DONE | MR-T12.5.1 | Graph Guild | Implement Postgres graph writer repository (PostgresGraphDocumentWriter) |
| 21 | MR-T12.5.3 | DONE | MR-T12.5.1 | Graph Guild | Implement Postgres snapshot store (PostgresGraphSnapshotProvider, PostgresIdempotencyStore, PostgresGraphAnalyticsWriter) |
| 22 | MR-T12.5.4 | DONE | MR-T12.5.2-3 | Graph Guild | Created GraphIndexerDataSource and ServiceCollectionExtensions, build verified |
| 23 | MR-T12.5.5 | DONE | MR-T12.5.4 | Graph Guild | Add integration tests with Testcontainers for Graph.Indexer repositories |
| 24 | MR-T12.5.6 | DONE | MR-T12.5.5 | Graph Guild | Fix GraphAnalyticsEngine determinism test failures |
| 25 | MR-T12.5.7 | DONE | MR-T12.5.5 | Graph Guild | Fix GraphSnapshotBuilder determinism test failures |
### T12.6: PacksRegistry PostgreSQL Storage
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 25 | MR-T12.6.1 | TODO | None | PacksRegistry Guild | Design packs schema (packs, pack_versions, pack_artifacts) |
| 26 | MR-T12.6.2 | TODO | MR-T12.6.1 | PacksRegistry Guild | Implement Postgres pack repositories |
| 27 | MR-T12.6.3 | TODO | MR-T12.6.2 | PacksRegistry Guild | Replace file-based repositories in WebService |
| 28 | MR-T12.6.4 | TODO | MR-T12.6.3 | PacksRegistry Guild | Add integration tests with Testcontainers |
| 25 | MR-T12.6.1 | DONE | None | PacksRegistry Guild | Design packs schema (packs, attestations, audit_log, lifecycles, mirror_sources, parities) |
| 26 | MR-T12.6.2 | DONE | MR-T12.6.1 | PacksRegistry Guild | Implement Postgres repositories (PostgresPackRepository, PostgresAttestationRepository, PostgresAuditRepository, PostgresLifecycleRepository, PostgresMirrorRepository, PostgresParityRepository) |
| 27 | MR-T12.6.3 | DONE | MR-T12.6.2 | PacksRegistry Guild | Created PacksRegistryDataSource and ServiceCollectionExtensions, build verified |
| 28 | MR-T12.6.4 | DONE | MR-T12.6.3 | PacksRegistry Guild | Add integration tests with Testcontainers |
### T12.7: SbomService PostgreSQL Storage
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 29 | MR-T12.7.1 | TODO | None | SbomService Guild | Design sbom schema (catalogs, components, lookups) |
| 30 | MR-T12.7.2 | TODO | MR-T12.7.1 | SbomService Guild | Implement Postgres catalog repository |
| 31 | MR-T12.7.3 | TODO | MR-T12.7.1 | SbomService Guild | Implement Postgres component lookup repository |
| 32 | MR-T12.7.4 | TODO | MR-T12.7.2-3 | SbomService Guild | Replace file/in-memory implementations |
| 33 | MR-T12.7.5 | TODO | MR-T12.7.4 | SbomService Guild | Add integration tests with Testcontainers |
| 29 | MR-T12.7.1 | DONE | None | SbomService Guild | Design sbom schema (catalog, component_lookups, entrypoints, orchestrator_sources, orchestrator_control, projections) |
| 30 | MR-T12.7.2 | DONE | MR-T12.7.1 | SbomService Guild | Implement Postgres repositories (PostgresCatalogRepository, PostgresComponentLookupRepository, PostgresEntrypointRepository, PostgresOrchestratorRepository, PostgresOrchestratorControlRepository, PostgresProjectionRepository) |
| 31 | MR-T12.7.3 | DONE | MR-T12.7.1 | SbomService Guild | Created SbomServiceDataSource and ServiceCollectionExtensions |
| 32 | MR-T12.7.4 | DONE | MR-T12.7.2-3 | SbomService Guild | Build verified with 0 errors |
| 33 | MR-T12.7.5 | DONE | MR-T12.7.4 | SbomService Guild | Add integration tests with Testcontainers |
## Wave Coordination
- **Wave 1 (HIGH PRIORITY):** T12.0 (Excititor), T12.1 (AirGap), T12.2 (TaskRunner) - production durability critical
@@ -142,11 +143,11 @@ Each new Postgres repository MUST:
| Excititor | Postgres COMPLETE | All stores implemented: `PostgresVexProviderStore`, `PostgresVexObservationStore`, `PostgresVexAttestationStore`, `PostgresVexTimelineEventStore` |
| AirGap.Controller | Postgres COMPLETE | `PostgresAirGapStateStore` in `StellaOps.AirGap.Storage.Postgres` |
| TaskRunner | Postgres COMPLETE | `PostgresPackRunStateStore`, `PostgresPackRunApprovalStore`, `PostgresPackRunLogStore`, `PostgresPackRunEvidenceStore` in `StellaOps.TaskRunner.Storage.Postgres` |
| Signals | Filesystem + In-memory | `src/Signals/StellaOps.Signals/Storage/FileSystemCallgraphArtifactStore.cs` |
| Graph.Indexer | In-memory | `src/Graph/StellaOps.Graph.Indexer/` - InMemoryIdempotencyStore, in-memory graph writer |
| PacksRegistry | File-based | `src/PacksRegistry/` - file-based repositories |
| SbomService | File + In-memory | `src/SbomService/` - file/in-memory repositories |
| Notify | Partial Postgres | Missing: PackApproval, ThrottleConfig, OperatorOverride, Localization repos |
| Signals | Postgres COMPLETE | `StellaOps.Signals.Storage.Postgres`: PostgresCallgraphRepository, PostgresReachabilityFactRepository, PostgresUnknownsRepository, PostgresReachabilityStoreRepository |
| Graph.Indexer | Postgres COMPLETE | `StellaOps.Graph.Indexer.Storage.Postgres`: PostgresIdempotencyStore, PostgresGraphSnapshotProvider, PostgresGraphAnalyticsWriter, PostgresGraphDocumentWriter |
| PacksRegistry | Postgres COMPLETE | `StellaOps.PacksRegistry.Storage.Postgres`: PostgresPackRepository, PostgresAttestationRepository, PostgresAuditRepository, PostgresLifecycleRepository, PostgresMirrorRepository, PostgresParityRepository |
| SbomService | Postgres COMPLETE | `StellaOps.SbomService.Storage.Postgres`: PostgresCatalogRepository, PostgresComponentLookupRepository, PostgresEntrypointRepository, PostgresOrchestratorRepository, PostgresOrchestratorControlRepository, PostgresProjectionRepository |
| Notify | Postgres COMPLETE | All repositories implemented including new: `ThrottleConfigRepository`, `OperatorOverrideRepository`, `LocalizationBundleRepository` |
## Decisions & Risks
- **Decisions:** All Postgres implementations MUST follow the `RepositoryBase<TDataSource>` abstraction pattern established in Authority, Scheduler, and Concelier modules. Use Testcontainers for integration testing. No direct Npgsql access without abstraction.
@@ -154,7 +155,8 @@ Each new Postgres repository MUST:
- ~~Excititor VEX attestations not persisted until T12.0 completes - HIGH PRIORITY~~ **MITIGATED** - T12.0 complete
- ~~AirGap sealing state loss on restart until T12.1 completes~~ **MITIGATED** - T12.1 complete
- ~~TaskRunner has no HA/scaling support until T12.2 completes~~ **MITIGATED** - T12.2 complete
- Graph.Indexer determinism tests currently failing (null edge resolution, duplicate nodes)
- ~~Signals callgraphs and reachability facts not durable~~ **MITIGATED** - T12.4 complete
- ~~Graph.Indexer determinism tests currently failing (null edge resolution, duplicate nodes)~~ **MITIGATED** - T12.5.6-7 complete
| Risk | Mitigation |
| --- | --- |
@@ -181,3 +183,9 @@ Each new Postgres repository MUST:
| 2025-12-13 | Added Excititor T12.0 section - identified 4 stores still using in-memory implementations. Added Database Abstraction Layer Requirements section. Updated wave priorities. | Infrastructure Guild |
| 2025-12-13 | Completed T12.0.1-6: Implemented PostgresVexProviderStore, PostgresVexObservationStore, PostgresVexAttestationStore, PostgresVexTimelineEventStore. Updated ServiceCollectionExtensions to register new stores. Tables created via EnsureTableAsync lazy initialization pattern. Integration tests (T12.0.7) still pending. | Infrastructure Guild |
| 2025-12-13 | Completed T12.2.1-3: Implemented TaskRunner PostgreSQL storage in new `StellaOps.TaskRunner.Storage.Postgres` project. Created repositories: PostgresPackRunStateStore (pack_run_state table), PostgresPackRunApprovalStore (pack_run_approvals table), PostgresPackRunLogStore (pack_run_logs table), PostgresPackRunEvidenceStore (pack_run_evidence table). All use EnsureTableAsync lazy initialization and OpenSystemConnectionAsync for cross-tenant access. Integration tests (T12.2.4) still pending. | Infrastructure Guild |
| 2025-12-13 | Completed T12.4.1-4: Implemented Signals PostgreSQL storage in new `StellaOps.Signals.Storage.Postgres` project. Created SignalsDataSource and 4 repositories: PostgresCallgraphRepository (callgraphs table with JSONB), PostgresReachabilityFactRepository (reachability_facts table with JSONB), PostgresUnknownsRepository (unknowns table), PostgresReachabilityStoreRepository (func_nodes, call_edges, cve_func_hits tables). Uses OpenSystemConnectionAsync for non-tenant-scoped data. Build verified with no errors. Integration tests (T12.4.5) still pending. | Infrastructure Guild |
| 2025-12-13 | Completed T12.5.1-4: Implemented Graph.Indexer PostgreSQL storage in new `StellaOps.Graph.Indexer.Storage.Postgres` project. Created GraphIndexerDataSource ("graph" schema) and 4 repositories: PostgresIdempotencyStore (idempotency_tokens table), PostgresGraphSnapshotProvider (pending_snapshots table), PostgresGraphAnalyticsWriter (cluster_assignments, centrality_scores tables), PostgresGraphDocumentWriter (graph_nodes, graph_edges tables with JSONB). Build verified with 0 errors. Determinism test fixes (T12.5.5-6) still pending. | Infrastructure Guild |
| 2025-12-13 | Completed T12.6.1-3: Implemented PacksRegistry PostgreSQL storage in new `StellaOps.PacksRegistry.Storage.Postgres` project. Created PacksRegistryDataSource ("packs" schema) and 6 repositories: PostgresPackRepository (packs table with BYTEA for content/provenance), PostgresAttestationRepository (attestations table with BYTEA), PostgresAuditRepository (audit_log table, append-only), PostgresLifecycleRepository (lifecycles table), PostgresMirrorRepository (mirror_sources table), PostgresParityRepository (parities table). Build verified with 0 errors. Integration tests (T12.6.4) still pending. | Infrastructure Guild |
| 2025-12-13 | Completed T12.7.1-4: Implemented SbomService PostgreSQL storage in new `StellaOps.SbomService.Storage.Postgres` project. Created SbomServiceDataSource ("sbom" schema) and 6 repositories: PostgresCatalogRepository (catalog table with JSONB asset_tags, GIN index), PostgresComponentLookupRepository (component_lookups table), PostgresEntrypointRepository (entrypoints table with composite PK), PostgresOrchestratorRepository (orchestrator_sources table with idempotent insert), PostgresOrchestratorControlRepository (orchestrator_control table), PostgresProjectionRepository (projections table with JSONB). Build verified with 0 errors. Integration tests (T12.7.5) still pending. | Infrastructure Guild |
| 2025-12-13 | Completed integration tests for Wave 3 modules (T12.4.5, T12.5.5, T12.6.4, T12.7.5): Created 4 new test projects with PostgresIntegrationFixture-based tests: `StellaOps.Signals.Storage.Postgres.Tests` (PostgresCallgraphRepositoryTests), `StellaOps.Graph.Indexer.Storage.Postgres.Tests` (PostgresIdempotencyStoreTests), `StellaOps.PacksRegistry.Storage.Postgres.Tests` (PostgresPackRepositoryTests), `StellaOps.SbomService.Storage.Postgres.Tests` (PostgresEntrypointRepositoryTests, PostgresOrchestratorControlRepositoryTests). All test projects build successfully. Uses ICollectionFixture pattern with per-test truncation. Remaining work: T12.5.6-7 determinism test fixes, T12.0.7/T12.1.4/T12.2.4 integration tests for Wave 1 modules. | Infrastructure Guild |
| 2025-12-14 | Completed remaining integration tests (T12.0.7 Excititor, T12.1.4 AirGap, T12.2.4 TaskRunner) and Graph determinism test fixes (T12.5.6-7). T12.0.7: 4 VEX store tests (PostgresVexProviderStoreTests, PostgresVexAttestationStoreTests, PostgresVexObservationStoreTests, PostgresVexTimelineEventStoreTests). T12.1.4: Created AirGapPostgresFixture, PostgresAirGapStateStoreTests. T12.2.4: Created TaskRunnerPostgresFixture, PostgresPackRunStateStoreTests. T12.5.6: Fixed ImmutableArray equality comparison in GraphAnalyticsEngineTests by converting to arrays. T12.5.7: Fixed NullReferenceException in TryResolveEdgeEndpoints by adding fallback for simple source/target edge format. All tests passing. Sprint 3412 complete. | Infrastructure Guild |

2
docs/modules/policy/architecture.md
View File

@@ -21,7 +21,7 @@ The service operates strictly downstream of the **Aggregation-Only Contract (AOC
- Emit CVSS v4.0 receipts with canonical hashing and policy replay/backfill rules; store tenant-scoped receipts with RBAC; export receipts deterministically (UTC/fonts/order) and flag v3.1→v4.0 conversions (see Sprint 0190 CVSS-GAPS-190-014 / `docs/modules/policy/cvss-v4.md`).
- Emit per-finding OpenVEX decisions anchored to reachability evidence, forward them to Signer/Attestor for DSSE/Rekor, and publish the resulting artifacts for bench/verification consumers.
- Consume reachability lattice decisions (`ReachDecision`, `docs/reachability/lattice.md`) to drive confidence-based VEX gates (not_affected / under_investigation / affected) and record the policy hash used for each decision.
- Honor **hybrid reachability attestations**: graph-level DSSE is required input; when edge-bundle DSSEs exist, prefer their per-edge provenance for quarantine, dispute, and high-risk decisions. Quarantined edges (revoked in bundles or listed in Unknowns registry) must be excluded before VEX emission.
- Honor **hybrid reachability attestations**: graph-level DSSE is required input; when edge-bundle DSSEs exist, prefer their per-edge provenance for quarantine, dispute, and high-risk decisions. Quarantined edges (revoked in bundles or listed in Unknowns registry) must be excluded before VEX emission. See [`docs/reachability/hybrid-attestation.md`](../../reachability/hybrid-attestation.md) for verification runbooks and offline replay steps.
- Enforce **shadow + coverage gates** for new/changed policies: shadow runs record findings without enforcement; promotion blocked until shadow and coverage fixtures pass (see lifecycle/runtime docs). CLI/Console enforce attachment of lint/simulate/coverage evidence.
- Operate incrementally: react to change streams (advisory/vex/SBOM deltas) with ≤5min SLA.
- Provide simulations with diff summaries for UI/CLI workflows without modifying state.

1
docs/modules/scanner/architecture.md
View File

@@ -339,6 +339,7 @@ The emitted `buildId` metadata is preserved in component hashes, diff payloads,
* WebService constructs **predicate** with `image_digest`, `stellaops_version`, `license_id`, `policy_digest?` (when emitting **final reports**), timestamps.
* Calls **Signer** (requires **OpTok + PoE**); Signer verifies **entitlement + scanner image integrity** and returns **DSSE bundle**.
* **Attestor** logs to **Rekor v2**; returns `{uuid,index,proof}` → stored in `artifacts.rekor`.
* **Hybrid reachability attestations**: graph-level DSSE (mandatory) plus optional edge-bundle DSSEs for runtime/init/contested edges. See [`docs/reachability/hybrid-attestation.md`](../../reachability/hybrid-attestation.md) for verification runbooks and Rekor guidance.
* Operator enablement runbooks (toggles, env-var map, rollout guidance) live in [`operations/dsse-rekor-operator-guide.md`](operations/dsse-rekor-operator-guide.md) per SCANNER-ENG-0015.
---

30
docs/modules/ui/README.md
View File

@@ -2,18 +2,18 @@
The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows.
## Latest updates (2025-11-30)
- Docs refreshed per `docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md`; added observability runbook stub and TASKS mirror.
- Access-control guidance from 2025-11-03 remains valid; ensure Authority scopes are verified before enabling uploads.
## Responsibilities
## Latest updates (2025-11-30)
- Docs refreshed per `docs/implplan/SPRINT_0331_0001_0001_docs_modules_ui.md`; added observability runbook stub and TASKS mirror.
- Access-control guidance from 2025-11-03 remains valid; ensure Authority scopes are verified before enabling uploads.
## Responsibilities
- Render real-time status for ingestion, scanning, policy, and exports via SSE.
- Provide policy editor, SBOM explorer, and advisory views with accessibility compliance.
- Integrate with Authority for fresh-auth and scope enforcement.
- Support offline bundles with deterministic build outputs.
## Key components
- Angular 17 workspace under `src/UI/StellaOps.UI`.
- Angular 17 workspace under `src/Web/StellaOps.Web`.
- Signals-based state management with `@ngrx/signals` store.
- API client generator (`core/api`).
@@ -22,16 +22,16 @@ The Console presents operator dashboards for scans, policies, VEX evidence, runt
- Authority for DPoP-protected calls.
- Telemetry streams for observability dashboards.
## Operational notes
- Auth smoke tests in `operations/auth-smoke.md`.
- Observability runbook + dashboard stub in `operations/observability.md` and `operations/dashboards/console-ui-observability.json` (offline import).
- Console architecture doc for layout and SSE fan-out.
- Accessibility and security guides in ../../ui/ & ../../security/.
## Operational notes
- Auth smoke tests in `operations/auth-smoke.md`.
- Observability runbook + dashboard stub in `operations/observability.md` and `operations/dashboards/console-ui-observability.json` (offline import).
- Console architecture doc for layout and SSE fan-out.
- Accessibility and security guides in ../../ui/ & ../../security/.
## Related resources
- ./operations/auth-smoke.md
- ./operations/observability.md
- ./console-architecture.md
## Related resources
- ./operations/auth-smoke.md
- ./operations/observability.md
- ./console-architecture.md
## Backlog references
- DOCS-CONSOLE-23-001 … DOCS-CONSOLE-23-003 baseline (done).

338
docs/reachability/hybrid-attestation.md
View File

@@ -2,7 +2,6 @@
> Decision date: 2025-12-11 · Owners: Scanner Guild, Attestor Guild, Signals Guild, Policy Guild
<!-- TODO: Review for separate approval - updated hybrid attestation introduction -->
## 0. Context: Four Capabilities
This document supports **Signed Reachability**—one of four capabilities no competitor offers together:
@@ -68,7 +67,6 @@ All evidence is sealed in **Decision Capsules** for audit-grade reproducibility.
## 7. Hybrid Reachability Details
<!-- TODO: Review for separate approval - added hybrid reachability details -->
Stella Ops provides **true hybrid reachability** by combining:
| Signal Type | Source | Attestation |
@@ -169,8 +167,342 @@ stella graph verify --hash blake3:a1b2c3d4... --format json|table|summary
| Component | Status | Notes |
|-----------|--------|-------|
| Graph DSSE predicate | Done | `stella.ops/graph@v1` in PredicateTypes.cs |
| Edge-bundle DSSE predicate | Planned | `stella.ops/edgeBundle@v1` |
| Edge-bundle DSSE predicate | Done | `stella.ops/edgeBundle@v1` via EdgeBundlePublisher |
| Edge-bundle models | Done | EdgeBundle.cs, EdgeBundleReason, EdgeReason enums |
| Edge-bundle CAS publisher | Done | EdgeBundlePublisher.cs with deterministic DSSE |
| Edge-bundle ingestion | Done | EdgeBundleIngestionService in Signals |
| CAS layout | Done | Per section 8.2 |
| Runtime-facts CAS storage | Done | IRuntimeFactsArtifactStore, FileSystemRuntimeFactsArtifactStore |
| CLI verify command | Planned | Per section 8.3 |
| Golden fixtures | Planned | Per section 8.4 |
| Rekor integration | Done | Via Attestor module |
| Quarantine enforcement | Done | HasQuarantinedEdges in ReachabilityFactDocument |
---
## 9. Verification Runbook
This section provides step-by-step guidance for verifying hybrid attestations in different scenarios.
### 9.1 Graph-Only Verification
Use this workflow when only graph-level attestation is required (default for most use cases).
**Prerequisites:**
- Access to CAS storage (local or remote)
- `stella` CLI installed
- Optional: Rekor instance access for transparency verification
**Steps:**
1. **Retrieve graph DSSE envelope:**
```bash
stella graph fetch --hash blake3:<graph_hash> --output ./verification/
```
2. **Verify DSSE signature:**
```bash
stella graph verify --hash blake3:<graph_hash>
# Output: ✓ Graph signature valid (key: <key_id>)
```
3. **Verify content integrity:**
```bash
stella graph verify --hash blake3:<graph_hash> --check-content
# Output: ✓ Content hash matches BLAKE3:<graph_hash>
```
4. **Verify Rekor inclusion (online):**
```bash
stella graph verify --hash blake3:<graph_hash> --rekor-proof
# Output: ✓ Rekor inclusion verified (log index: <index>)
```
5. **Verify policy hash binding:**
```bash
stella graph verify --hash blake3:<graph_hash> --policy-hash sha256:<policy_hash>
# Output: ✓ Policy hash matches graph metadata
```
### 9.2 Graph + Edge-Bundle Verification
Use this workflow when finer-grained verification of specific edges is required.
**When to use:**
- Auditing runtime-observed paths
- Investigating contested/disputed edges
- Verifying init-section or TLS callback roots
- Regulatory compliance requiring edge-level attestation
**Steps:**
1. **List available edge bundles:**
```bash
stella graph bundles --hash blake3:<graph_hash>
# Output:
# Bundle ID Reason Edges Rekor
# bundle:001 runtime-hit 42 ✓
# bundle:002 init-root 15 ✓
# bundle:003 third-party 128 -
```
2. **Verify specific bundle:**
```bash
stella graph verify --hash blake3:<graph_hash> --bundle bundle:001
# Output:
# ✓ Bundle DSSE signature valid
# ✓ All 42 edges link to graph_hash
# ✓ Rekor inclusion verified
```
3. **Verify all bundles:**
```bash
stella graph verify --hash blake3:<graph_hash> --include-bundles
# Output:
# ✓ Graph signature valid
# ✓ 3 bundles verified (185 edges total)
```
4. **Check for revoked edges:**
```bash
stella graph verify --hash blake3:<graph_hash> --check-revoked
# Output:
# ⚠ 2 edges marked revoked in bundle:002
# - edge:func_a→func_b (reason: policy-quarantine)
# - edge:func_c→func_d (reason: revoked)
```
### 9.3 Verification Decision Matrix
| Scenario | Graph DSSE | Edge Bundles | Rekor | Policy Hash |
|----------|------------|--------------|-------|-------------|
| Standard CI/CD | Required | Optional | Recommended | Required |
| Regulated audit | Required | Required | Required | Required |
| Dispute resolution | Required | Required (contested) | Required | Optional |
| Offline replay | Required | As available | Cached proof | Required |
| Dev/test | Optional | Optional | Disabled | Optional |
---
## 10. Rekor Guidance
### 10.1 Rekor Integration Overview
Rekor provides an immutable transparency log for attestation artifacts. StellaOps integrates with Rekor (or compatible mirrors) to provide verifiable timestamps and inclusion proofs.
### 10.2 What Gets Published to Rekor
| Artifact Type | Rekor Publish | Condition |
|---------------|---------------|-----------|
| Graph DSSE digest | Always | All deployment tiers (except dev/test) |
| Edge-bundle DSSE digest | Conditional | Only for `disputed`, `runtime-hit`, `security-critical` reasons |
| VEX decision DSSE digest | Always | When VEX decisions are generated |
### 10.3 Rekor Configuration
```yaml
# etc/signals.yaml
reachability:
rekor:
enabled: true
endpoint: "https://rekor.sigstore.dev" # Or private mirror
timeout: 30s
retry:
attempts: 3
backoff: exponential
edgeBundles:
maxRekorPublishes: 5 # Per graph, configurable by tier
publishReasons:
- disputed
- runtime-hit
- security-critical
```
### 10.4 Private Rekor Mirror
For air-gapped or regulated environments:
```yaml
reachability:
rekor:
enabled: true
endpoint: "https://rekor.internal.example.com"
tls:
ca: /etc/stellaops/ca.crt
clientCert: /etc/stellaops/client.crt
clientKey: /etc/stellaops/client.key
```
### 10.5 Rekor Proof Caching
Inclusion proofs are cached locally for offline verification:
```
cas://reachability/graphs/{blake3}.rekor # Graph inclusion proof
cas://reachability/edges/{graph_hash}/{bundle_id}.rekor # Bundle proof
```
**Proof format:**
```json
{
"logIndex": 12345678,
"logId": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d",
"integratedTime": 1702492800,
"inclusionProof": {
"logIndex": 12345678,
"rootHash": "abc123...",
"treeSize": 50000000,
"hashes": ["def456...", "ghi789..."]
}
}
```
---
## 11. Offline Replay Steps
### 11.1 Overview
Offline replay enables full verification of reachability attestations without network access. This is essential for air-gapped deployments and regulatory compliance scenarios.
### 11.2 Creating an Offline Replay Pack
**Step 1: Export graph and bundles**
```bash
stella graph export --hash blake3:<graph_hash> \
--include-bundles \
--include-rekor-proofs \
--output ./offline-pack/
```
**Step 2: Include required artifacts**
The export creates:
```
offline-pack/
├── manifest.json # Replay manifest v2
├── graphs/
│ └── <blake3>/
│ ├── richgraph-v1.json # Graph body
│ ├── graph.dsse # DSSE envelope
│ └── graph.rekor # Inclusion proof
├── edges/
│ └── <graph_hash>/
│ ├── bundle-001.json
│ ├── bundle-001.dsse
│ └── bundle-001.rekor
├── runtime-facts/
│ └── <hash>/
│ └── runtime-facts.ndjson
└── checkpoints/
└── rekor-checkpoint.json # Transparency log checkpoint
```
**Step 3: Bundle for transfer**
```bash
stella offline pack --input ./offline-pack/ --output offline-replay.tgz
```
### 11.3 Verifying an Offline Pack
**Step 1: Extract pack**
```bash
stella offline unpack --input offline-replay.tgz --output ./verify/
```
**Step 2: Verify manifest integrity**
```bash
stella offline verify --manifest ./verify/manifest.json
# Output:
# ✓ Manifest version: 2
# ✓ Hash algorithm: blake3
# ✓ All CAS entries present
# ✓ All hashes verified
```
**Step 3: Verify attestations offline**
```bash
stella graph verify --hash blake3:<graph_hash> \
--cas-root ./verify/ \
--offline
# Output:
# ✓ Graph DSSE signature valid (offline mode)
# ✓ Rekor proof verified against checkpoint
# ✓ 3 bundles verified offline
```
### 11.4 Offline Verification Trust Model
```
┌─────────────────────────────────────────────────────────┐
│ Offline Pack │
├─────────────────────────────────────────────────────────┤
│ ┌──────────────┐ ┌──────────────┐ ┌─────────────┐ │
│ │ Graph DSSE │ │ Edge Bundle │ │ Rekor │ │
│ │ Envelope │ │ DSSE │ │ Checkpoint │ │
│ └──────┬───────┘ └──────┬───────┘ └──────┬──────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ Local Verification Engine │ │
│ │ 1. Verify DSSE signatures against trusted keys │ │
│ │ 2. Verify content hashes match DSSE payloads │ │
│ │ 3. Verify Rekor proofs against checkpoint │ │
│ │ 4. Verify policy hash binding │ │
│ └──────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘
```
### 11.5 Air-Gapped Deployment Checklist
- [ ] Trusted signing keys pre-installed
- [ ] Rekor checkpoint from last sync included
- [ ] All referenced CAS artifacts bundled
- [ ] Policy hash recorded in manifest
- [ ] Analyzer manifests included for replay
- [ ] Runtime-facts artifacts included (if applicable)
---
## 12. Release Notes
### 12.1 Version History
| Version | Date | Changes |
|---------|------|---------|
| 1.0 | 2025-12-11 | Initial hybrid attestation design |
| 1.1 | 2025-12-13 | Added edge-bundle ingestion, CAS storage, verification runbook |
### 12.2 Breaking Changes
None. Hybrid attestation is additive; existing graph-only workflows remain unchanged.
### 12.3 Migration Guide
**From graph-only to hybrid:**
1. No migration required for existing graphs
2. Enable edge-bundle emission in scanner config:
```yaml
scanner:
reachability:
edgeBundles:
enabled: true
emitRuntime: true
emitContested: true
```
3. Signals automatically ingests edge bundles when present
---
## 13. Cross-References
- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (Tasks 53-56)
- **Contracts:** docs/contracts/richgraph-v1.md, docs/contracts/edge-bundle-v1.md
- **Implementation:**
- Scanner: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/EdgeBundle*.cs`
- Signals: `src/Signals/StellaOps.Signals/Ingestion/EdgeBundleIngestionService.cs`
- Policy: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
- **Related docs:**
- docs/reachability/function-level-evidence.md
- docs/reachability/lattice.md
- docs/replay/DETERMINISTIC_REPLAY.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md

210
etc/notify-templates/vex-decision.yaml.sample Normal file
View File

@@ -0,0 +1,210 @@
# GAP-VEX-006: Sample VEX decision notification templates
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Usage:
# 1. Copy to etc/notify-templates/vex-decision.yaml
# 2. Customize templates per channel type
# 3. Import via: stella notify template import vex-decision.yaml
templates:
# Email template for VEX decision notifications
- key: vex.decision.changed
channel_type: email
locale: en-US
render_mode: markdown
description: "Notification when VEX decision status changes"
body: |
## VEX Decision Changed: {{ vulnerability_id }}
**Product:** {{ product.name }} ({{ product.version }})
**PURL:** `{{ product.purl }}`
**Status Changed:** {{ previous_status }} → **{{ new_status }}**
### Reachability Evidence
{% if reachability_evidence %}
- **State:** {{ reachability_evidence.state }}
- **Confidence:** {{ reachability_evidence.confidence | percent }}
- **Graph Hash:** `{{ reachability_evidence.graph_hash }}`
{% if reachability_evidence.call_paths | length > 0 %}
#### Call Paths ({{ reachability_evidence.call_paths | length }})
{% for path in reachability_evidence.call_paths | slice(0, 3) %}
- **{{ path.entry_point }}** → ... → **{{ path.vulnerable_function }}** (depth {{ path.depth }})
{% endfor %}
{% if reachability_evidence.call_paths | length > 3 %}
_(and {{ reachability_evidence.call_paths | length - 3 }} more paths)_
{% endif %}
{% endif %}
{% if reachability_evidence.runtime_hits | length > 0 %}
#### Runtime Hits ({{ reachability_evidence.runtime_hits | length }})
| Function | Hits | Last Observed |
|----------|------|---------------|
{% for hit in reachability_evidence.runtime_hits | slice(0, 5) %}
| {{ hit.function_name }} | {{ hit.hit_count }} | {{ hit.last_observed | date }} |
{% endfor %}
{% endif %}
{% else %}
_(No reachability evidence available)_
{% endif %}
### Signature
{% if signature.signed %}
- **Signed:** Yes
- **Algorithm:** {{ signature.algorithm }}
- **Key ID:** `{{ signature.key_id }}`
- **DSSE Envelope:** `{{ signature.dsse_envelope_id }}`
{% if signature.rekor_entry_id %}
- **Rekor Entry:** [{{ signature.rekor_entry_id }}]({{ signature.rekor_url }})
{% endif %}
{% else %}
- **Signed:** No (unsigned decision)
{% endif %}
---
[View in StellaOps]({{ dashboard_url }}/vuln/{{ vulnerability_id }})
# Slack template for VEX decision notifications
- key: vex.decision.changed
channel_type: slack
locale: en-US
render_mode: slack_blocks
description: "Slack notification for VEX decision changes"
body: |
{
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "VEX Decision Changed: {{ vulnerability_id }}"
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Product:*\n{{ product.name }}"
},
{
"type": "mrkdwn",
"text": "*Status:*\n{{ previous_status }} → *{{ new_status }}*"
}
]
},
{% if reachability_evidence %}
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Reachability:* {{ reachability_evidence.state }} ({{ reachability_evidence.confidence | percent }} confidence)\n*Graph Hash:* `{{ reachability_evidence.graph_hash | truncate(16) }}...`"
}
},
{% if reachability_evidence.call_paths | length > 0 %}
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Call Paths:* {{ reachability_evidence.call_paths | length }} found\n{% for path in reachability_evidence.call_paths | slice(0, 2) %}• {{ path.entry_point }} → {{ path.vulnerable_function }}\n{% endfor %}"
}
},
{% endif %}
{% endif %}
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"text": "View Details"
},
"url": "{{ dashboard_url }}/vuln/{{ vulnerability_id }}"
}
]
}
]
}
# Teams template for VEX decision notifications
- key: vex.decision.changed
channel_type: teams
locale: en-US
render_mode: adaptive_card
description: "Teams notification for VEX decision changes"
body: |
{
"$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
"type": "AdaptiveCard",
"version": "1.4",
"body": [
{
"type": "TextBlock",
"text": "VEX Decision Changed: {{ vulnerability_id }}",
"weight": "Bolder",
"size": "Large"
},
{
"type": "FactSet",
"facts": [
{ "title": "Product", "value": "{{ product.name }} {{ product.version }}" },
{ "title": "PURL", "value": "{{ product.purl }}" },
{ "title": "Status", "value": "{{ previous_status }} → {{ new_status }}" }
{% if reachability_evidence %}
,{ "title": "Reachability", "value": "{{ reachability_evidence.state }} ({{ reachability_evidence.confidence | percent }})" }
,{ "title": "Call Paths", "value": "{{ reachability_evidence.call_paths | length }}" }
,{ "title": "Runtime Hits", "value": "{{ reachability_evidence.runtime_hits | length }}" }
{% endif %}
]
}
],
"actions": [
{
"type": "Action.OpenUrl",
"title": "View in StellaOps",
"url": "{{ dashboard_url }}/vuln/{{ vulnerability_id }}"
}
]
}
# Webhook template for VEX decision notifications (JSON payload)
- key: vex.decision.changed
channel_type: webhook
locale: en-US
render_mode: json
description: "Webhook payload for VEX decision changes"
body: |
{
"event_type": "vex.decision.changed",
"timestamp": "{{ timestamp | iso8601 }}",
"vulnerability_id": "{{ vulnerability_id }}",
"product": {
"key": "{{ product.key }}",
"name": "{{ product.name }}",
"version": "{{ product.version }}",
"purl": "{{ product.purl }}"
},
"previous_status": "{{ previous_status }}",
"new_status": "{{ new_status }}",
"reachability_evidence": {% if reachability_evidence %}{
"state": "{{ reachability_evidence.state }}",
"confidence": {{ reachability_evidence.confidence }},
"graph_hash": "{{ reachability_evidence.graph_hash }}",
"graph_cas_uri": "{{ reachability_evidence.graph_cas_uri }}",
"call_path_count": {{ reachability_evidence.call_paths | length }},
"runtime_hit_count": {{ reachability_evidence.runtime_hits | length }},
"dsse_envelope_id": "{{ reachability_evidence.dsse_envelope_id }}",
"rekor_entry_id": "{{ reachability_evidence.rekor_entry_id }}"
}{% else %}null{% endif %},
"signature": {
"signed": {{ signature.signed | json }},
"algorithm": "{{ signature.algorithm }}",
"key_id": "{{ signature.key_id }}",
"dsse_envelope_id": "{{ signature.dsse_envelope_id }}",
"rekor_entry_id": "{{ signature.rekor_entry_id }}"
},
"tenant_id": "{{ tenant_id }}",
"dashboard_url": "{{ dashboard_url }}/vuln/{{ vulnerability_id }}"
}

353
scripts/bench/compute-metrics.py Normal file
View File

@@ -0,0 +1,353 @@
#!/usr/bin/env python3
# SPDX-License-Identifier: AGPL-3.0-or-later
# BENCH-AUTO-401-019: Compute FP/MTTD/repro metrics from bench findings
"""
Computes benchmark metrics from bench/findings/** and outputs to results/summary.csv.
Metrics:
- True Positives (TP): Reachable vulns correctly identified
- False Positives (FP): Unreachable vulns incorrectly marked affected
- True Negatives (TN): Unreachable vulns correctly marked not_affected
- False Negatives (FN): Reachable vulns missed
- MTTD: Mean Time To Detect (simulated)
- Reproducibility: Determinism score
Usage:
python scripts/bench/compute-metrics.py [--findings PATH] [--output PATH] [--baseline PATH]
"""
import argparse
import csv
import json
import os
import sys
from dataclasses import dataclass, field
from datetime import datetime, timezone
from pathlib import Path
from typing import Any
@dataclass
class FindingMetrics:
"""Metrics for a single finding."""
finding_id: str
cve_id: str
variant: str # reachable or unreachable
vex_status: str # affected or not_affected
is_correct: bool
detection_time_ms: float = 0.0
evidence_hash: str = ""
@dataclass
class AggregateMetrics:
"""Aggregated benchmark metrics."""
total_findings: int = 0
true_positives: int = 0 # reachable + affected
false_positives: int = 0 # unreachable + affected
true_negatives: int = 0 # unreachable + not_affected
false_negatives: int = 0 # reachable + not_affected
mttd_ms: float = 0.0
reproducibility: float = 1.0
findings: list = field(default_factory=list)
@property
def precision(self) -> float:
"""TP / (TP + FP)"""
denom = self.true_positives + self.false_positives
return self.true_positives / denom if denom > 0 else 0.0
@property
def recall(self) -> float:
"""TP / (TP + FN)"""
denom = self.true_positives + self.false_negatives
return self.true_positives / denom if denom > 0 else 0.0
@property
def f1_score(self) -> float:
"""2 * (precision * recall) / (precision + recall)"""
p, r = self.precision, self.recall
return 2 * p * r / (p + r) if (p + r) > 0 else 0.0
@property
def accuracy(self) -> float:
"""(TP + TN) / total"""
correct = self.true_positives + self.true_negatives
return correct / self.total_findings if self.total_findings > 0 else 0.0
def load_finding(finding_dir: Path) -> FindingMetrics | None:
"""Load a finding from its directory."""
metadata_path = finding_dir / "metadata.json"
openvex_path = finding_dir / "decision.openvex.json"
if not metadata_path.exists() or not openvex_path.exists():
return None
with open(metadata_path, 'r', encoding='utf-8') as f:
metadata = json.load(f)
with open(openvex_path, 'r', encoding='utf-8') as f:
openvex = json.load(f)
# Extract VEX status
statements = openvex.get("statements", [])
vex_status = statements[0].get("status", "unknown") if statements else "unknown"
# Determine correctness
variant = metadata.get("variant", "unknown")
is_correct = (
(variant == "reachable" and vex_status == "affected") or
(variant == "unreachable" and vex_status == "not_affected")
)
# Extract evidence hash from impact_statement
evidence_hash = ""
if statements:
impact = statements[0].get("impact_statement", "")
if "Evidence hash:" in impact:
evidence_hash = impact.split("Evidence hash:")[1].strip()
return FindingMetrics(
finding_id=finding_dir.name,
cve_id=metadata.get("cve_id", "UNKNOWN"),
variant=variant,
vex_status=vex_status,
is_correct=is_correct,
evidence_hash=evidence_hash
)
def compute_metrics(findings_dir: Path) -> AggregateMetrics:
"""Compute aggregate metrics from all findings."""
metrics = AggregateMetrics()
if not findings_dir.exists():
return metrics
for finding_path in sorted(findings_dir.iterdir()):
if not finding_path.is_dir():
continue
finding = load_finding(finding_path)
if finding is None:
continue
metrics.total_findings += 1
metrics.findings.append(finding)
# Classify finding
if finding.variant == "reachable":
if finding.vex_status == "affected":
metrics.true_positives += 1
else:
metrics.false_negatives += 1
else: # unreachable
if finding.vex_status == "not_affected":
metrics.true_negatives += 1
else:
metrics.false_positives += 1
# Compute MTTD (simulated - based on evidence availability)
# In real scenarios, this would be the time from CVE publication to detection
metrics.mttd_ms = sum(f.detection_time_ms for f in metrics.findings)
if metrics.total_findings > 0:
metrics.mttd_ms /= metrics.total_findings
return metrics
def load_baseline(baseline_path: Path) -> dict:
"""Load baseline scanner results for comparison."""
if not baseline_path.exists():
return {}
with open(baseline_path, 'r', encoding='utf-8') as f:
return json.load(f)
def compare_with_baseline(metrics: AggregateMetrics, baseline: dict) -> dict:
"""Compare StellaOps metrics with baseline scanner."""
comparison = {
"stellaops": {
"precision": metrics.precision,
"recall": metrics.recall,
"f1_score": metrics.f1_score,
"accuracy": metrics.accuracy,
"false_positive_rate": metrics.false_positives / metrics.total_findings if metrics.total_findings > 0 else 0
}
}
if baseline:
# Extract baseline metrics
baseline_metrics = baseline.get("metrics", {})
comparison["baseline"] = {
"precision": baseline_metrics.get("precision", 0),
"recall": baseline_metrics.get("recall", 0),
"f1_score": baseline_metrics.get("f1_score", 0),
"accuracy": baseline_metrics.get("accuracy", 0),
"false_positive_rate": baseline_metrics.get("false_positive_rate", 0)
}
# Compute deltas
comparison["delta"] = {
k: comparison["stellaops"][k] - comparison["baseline"].get(k, 0)
for k in comparison["stellaops"]
}
return comparison
def write_summary_csv(metrics: AggregateMetrics, comparison: dict, output_path: Path):
"""Write summary.csv with all metrics."""
output_path.parent.mkdir(parents=True, exist_ok=True)
with open(output_path, 'w', newline='', encoding='utf-8') as f:
writer = csv.writer(f)
# Header
writer.writerow([
"timestamp",
"total_findings",
"true_positives",
"false_positives",
"true_negatives",
"false_negatives",
"precision",
"recall",
"f1_score",
"accuracy",
"mttd_ms",
"reproducibility"
])
# Data row
writer.writerow([
datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
metrics.total_findings,
metrics.true_positives,
metrics.false_positives,
metrics.true_negatives,
metrics.false_negatives,
f"{metrics.precision:.4f}",
f"{metrics.recall:.4f}",
f"{metrics.f1_score:.4f}",
f"{metrics.accuracy:.4f}",
f"{metrics.mttd_ms:.2f}",
f"{metrics.reproducibility:.4f}"
])
def write_detailed_json(metrics: AggregateMetrics, comparison: dict, output_path: Path):
"""Write detailed JSON report."""
output_path.parent.mkdir(parents=True, exist_ok=True)
report = {
"generated_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
"summary": {
"total_findings": metrics.total_findings,
"true_positives": metrics.true_positives,
"false_positives": metrics.false_positives,
"true_negatives": metrics.true_negatives,
"false_negatives": metrics.false_negatives,
"precision": metrics.precision,
"recall": metrics.recall,
"f1_score": metrics.f1_score,
"accuracy": metrics.accuracy,
"mttd_ms": metrics.mttd_ms,
"reproducibility": metrics.reproducibility
},
"comparison": comparison,
"findings": [
{
"finding_id": f.finding_id,
"cve_id": f.cve_id,
"variant": f.variant,
"vex_status": f.vex_status,
"is_correct": f.is_correct,
"evidence_hash": f.evidence_hash
}
for f in metrics.findings
]
}
with open(output_path, 'w', encoding='utf-8') as f:
json.dump(report, f, indent=2, sort_keys=True)
def main():
parser = argparse.ArgumentParser(
description="Compute FP/MTTD/repro metrics from bench findings"
)
parser.add_argument(
"--findings",
type=Path,
default=Path("bench/findings"),
help="Path to findings directory"
)
parser.add_argument(
"--output",
type=Path,
default=Path("bench/results"),
help="Output directory for metrics"
)
parser.add_argument(
"--baseline",
type=Path,
default=None,
help="Path to baseline scanner results JSON"
)
parser.add_argument(
"--json",
action="store_true",
help="Also output detailed JSON report"
)
args = parser.parse_args()
# Resolve paths relative to repo root
repo_root = Path(__file__).parent.parent.parent
findings_path = repo_root / args.findings if not args.findings.is_absolute() else args.findings
output_path = repo_root / args.output if not args.output.is_absolute() else args.output
print(f"Findings path: {findings_path}")
print(f"Output path: {output_path}")
# Compute metrics
metrics = compute_metrics(findings_path)
print(f"\nMetrics Summary:")
print(f" Total findings: {metrics.total_findings}")
print(f" True Positives: {metrics.true_positives}")
print(f" False Positives: {metrics.false_positives}")
print(f" True Negatives: {metrics.true_negatives}")
print(f" False Negatives: {metrics.false_negatives}")
print(f" Precision: {metrics.precision:.4f}")
print(f" Recall: {metrics.recall:.4f}")
print(f" F1 Score: {metrics.f1_score:.4f}")
print(f" Accuracy: {metrics.accuracy:.4f}")
# Load baseline if provided
baseline = {}
if args.baseline:
baseline_path = repo_root / args.baseline if not args.baseline.is_absolute() else args.baseline
baseline = load_baseline(baseline_path)
if baseline:
print(f"\nBaseline comparison loaded from: {baseline_path}")
comparison = compare_with_baseline(metrics, baseline)
# Write outputs
write_summary_csv(metrics, comparison, output_path / "summary.csv")
print(f"\nWrote summary to: {output_path / 'summary.csv'}")
if args.json:
write_detailed_json(metrics, comparison, output_path / "metrics.json")
print(f"Wrote detailed report to: {output_path / 'metrics.json'}")
return 0
if __name__ == "__main__":
sys.exit(main())

417
scripts/bench/populate-findings.py Normal file
View File

@@ -0,0 +1,417 @@
#!/usr/bin/env python3
# SPDX-License-Identifier: AGPL-3.0-or-later
# BENCH-AUTO-401-019: Automate population of bench/findings/** from reachbench fixtures
"""
Populates bench/findings/** with per-CVE VEX decision bundles derived from
reachbench fixtures, including reachability evidence, SBOM excerpts, and
DSSE envelope stubs.
Usage:
python scripts/bench/populate-findings.py [--fixtures PATH] [--output PATH] [--dry-run]
"""
import argparse
import hashlib
import json
import os
import sys
from datetime import datetime, timezone
from pathlib import Path
from typing import Any
def blake3_hex(data: bytes) -> str:
"""Compute BLAKE3-256 hash (fallback to SHA-256 if blake3 not installed)."""
try:
import blake3
return blake3.blake3(data).hexdigest()
except ImportError:
return "sha256:" + hashlib.sha256(data).hexdigest()
def sha256_hex(data: bytes) -> str:
"""Compute SHA-256 hash."""
return hashlib.sha256(data).hexdigest()
def canonical_json(obj: Any) -> str:
"""Serialize object to canonical JSON (sorted keys, no extra whitespace for hashes)."""
return json.dumps(obj, sort_keys=True, separators=(',', ':'))
def canonical_json_pretty(obj: Any) -> str:
"""Serialize object to canonical JSON with indentation for readability."""
return json.dumps(obj, sort_keys=True, indent=2)
def load_reachbench_index(fixtures_path: Path) -> dict:
"""Load the reachbench INDEX.json."""
index_path = fixtures_path / "INDEX.json"
if not index_path.exists():
raise FileNotFoundError(f"Reachbench INDEX not found: {index_path}")
with open(index_path, 'r', encoding='utf-8') as f:
return json.load(f)
def load_ground_truth(case_path: Path, variant: str) -> dict | None:
"""Load ground-truth.json for a variant."""
truth_path = case_path / "images" / variant / "reachgraph.truth.json"
if not truth_path.exists():
return None
with open(truth_path, 'r', encoding='utf-8') as f:
return json.load(f)
def create_openvex_decision(
cve_id: str,
purl: str,
status: str, # "not_affected" or "affected"
justification: str | None,
evidence_hash: str,
timestamp: str
) -> dict:
"""Create an OpenVEX decision document."""
statement = {
"@context": "https://openvex.dev/ns/v0.2.0",
"@type": "VEX",
"author": "StellaOps Bench Automation",
"role": "security_team",
"timestamp": timestamp,
"version": 1,
"tooling": "StellaOps/bench-auto@1.0.0",
"statements": [
{
"vulnerability": {
"@id": f"https://nvd.nist.gov/vuln/detail/{cve_id}",
"name": cve_id,
},
"products": [
{"@id": purl}
],
"status": status,
}
]
}
if justification and status == "not_affected":
statement["statements"][0]["justification"] = justification
# Add action_statement for affected
if status == "affected":
statement["statements"][0]["action_statement"] = "Upgrade to patched version or apply mitigation."
# Add evidence reference
statement["statements"][0]["impact_statement"] = f"Evidence hash: {evidence_hash}"
return statement
def create_dsse_envelope_stub(payload: dict, payload_type: str = "application/vnd.openvex+json") -> dict:
"""Create a DSSE envelope stub (signature placeholder for actual signing)."""
payload_json = canonical_json(payload)
payload_b64 = __import__('base64').b64encode(payload_json.encode()).decode()
return {
"payloadType": payload_type,
"payload": payload_b64,
"signatures": [
{
"keyid": "stella.ops/bench-automation@v1",
"sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
}
]
}
def create_metadata(
cve_id: str,
purl: str,
variant: str,
case_id: str,
ground_truth: dict | None,
timestamp: str
) -> dict:
"""Create metadata.json for a finding."""
return {
"cve_id": cve_id,
"purl": purl,
"case_id": case_id,
"variant": variant,
"reachability_status": "reachable" if variant == "reachable" else "unreachable",
"ground_truth_schema": ground_truth.get("schema_version") if ground_truth else None,
"generated_at": timestamp,
"generator": "scripts/bench/populate-findings.py",
"generator_version": "1.0.0"
}
def extract_cve_id(case_id: str) -> str:
"""Extract CVE ID from case_id, or generate a placeholder."""
# Common patterns: log4j -> CVE-2021-44228, curl -> CVE-2023-38545, etc.
cve_mapping = {
"log4j": "CVE-2021-44228",
"curl": "CVE-2023-38545",
"kestrel": "CVE-2023-44487",
"spring": "CVE-2022-22965",
"openssl": "CVE-2022-3602",
"glibc": "CVE-2015-7547",
}
for key, cve in cve_mapping.items():
if key in case_id.lower():
return cve
# Generate placeholder CVE for unknown cases
return f"CVE-BENCH-{case_id.upper()[:8]}"
def extract_purl(case_id: str, case_data: dict) -> str:
"""Extract or generate a purl from case data."""
# Use case metadata if available
if "purl" in case_data:
return case_data["purl"]
# Generate based on case_id patterns
lang = case_data.get("language", "unknown")
version = case_data.get("version", "1.0.0")
pkg_type_map = {
"java": "maven",
"dotnet": "nuget",
"go": "golang",
"python": "pypi",
"rust": "cargo",
"native": "generic",
}
pkg_type = pkg_type_map.get(lang, "generic")
return f"pkg:{pkg_type}/{case_id}@{version}"
def populate_finding(
case_id: str,
case_data: dict,
case_path: Path,
output_dir: Path,
timestamp: str,
dry_run: bool
) -> dict:
"""Populate a single CVE finding bundle."""
cve_id = extract_cve_id(case_id)
purl = extract_purl(case_id, case_data)
results = {
"case_id": case_id,
"cve_id": cve_id,
"variants_processed": [],
"errors": []
}
for variant in ["reachable", "unreachable"]:
variant_path = case_path / "images" / variant
if not variant_path.exists():
continue
ground_truth = load_ground_truth(case_path, variant)
# Determine VEX status based on variant
if variant == "reachable":
vex_status = "affected"
justification = None
else:
vex_status = "not_affected"
justification = "vulnerable_code_not_present"
# Create finding directory
finding_id = f"{cve_id}-{variant}"
finding_dir = output_dir / finding_id
evidence_dir = finding_dir / "evidence"
if not dry_run:
finding_dir.mkdir(parents=True, exist_ok=True)
evidence_dir.mkdir(parents=True, exist_ok=True)
# Create reachability evidence excerpt
evidence = {
"schema_version": "richgraph-excerpt/v1",
"case_id": case_id,
"variant": variant,
"ground_truth": ground_truth,
"paths": ground_truth.get("paths", []) if ground_truth else [],
"generated_at": timestamp
}
evidence_json = canonical_json_pretty(evidence)
evidence_hash = blake3_hex(evidence_json.encode())
if not dry_run:
with open(evidence_dir / "reachability.json", 'w', encoding='utf-8') as f:
f.write(evidence_json)
# Create SBOM excerpt
sbom = {
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"version": 1,
"metadata": {
"timestamp": timestamp,
"tools": [{"vendor": "StellaOps", "name": "bench-auto", "version": "1.0.0"}]
},
"components": [
{
"type": "library",
"purl": purl,
"name": case_id,
"version": case_data.get("version", "1.0.0")
}
]
}
if not dry_run:
with open(evidence_dir / "sbom.cdx.json", 'w', encoding='utf-8') as f:
json.dump(sbom, f, indent=2, sort_keys=True)
# Create OpenVEX decision
openvex = create_openvex_decision(
cve_id=cve_id,
purl=purl,
status=vex_status,
justification=justification,
evidence_hash=evidence_hash,
timestamp=timestamp
)
if not dry_run:
with open(finding_dir / "decision.openvex.json", 'w', encoding='utf-8') as f:
json.dump(openvex, f, indent=2, sort_keys=True)
# Create DSSE envelope stub
dsse = create_dsse_envelope_stub(openvex)
if not dry_run:
with open(finding_dir / "decision.dsse.json", 'w', encoding='utf-8') as f:
json.dump(dsse, f, indent=2, sort_keys=True)
# Create Rekor placeholder
if not dry_run:
with open(finding_dir / "rekor.txt", 'w', encoding='utf-8') as f:
f.write(f"# Rekor log entry placeholder\n")
f.write(f"# Submit DSSE envelope to Rekor to populate this file\n")
f.write(f"log_index: PENDING\n")
f.write(f"uuid: PENDING\n")
f.write(f"timestamp: {timestamp}\n")
# Create metadata
metadata = create_metadata(
cve_id=cve_id,
purl=purl,
variant=variant,
case_id=case_id,
ground_truth=ground_truth,
timestamp=timestamp
)
if not dry_run:
with open(finding_dir / "metadata.json", 'w', encoding='utf-8') as f:
json.dump(metadata, f, indent=2, sort_keys=True)
results["variants_processed"].append({
"variant": variant,
"finding_id": finding_id,
"vex_status": vex_status,
"evidence_hash": evidence_hash
})
return results
def main():
parser = argparse.ArgumentParser(
description="Populate bench/findings/** from reachbench fixtures"
)
parser.add_argument(
"--fixtures",
type=Path,
default=Path("tests/reachability/fixtures/reachbench-2025-expanded"),
help="Path to reachbench fixtures directory"
)
parser.add_argument(
"--output",
type=Path,
default=Path("bench/findings"),
help="Output directory for findings"
)
parser.add_argument(
"--dry-run",
action="store_true",
help="Print what would be created without writing files"
)
parser.add_argument(
"--limit",
type=int,
default=0,
help="Limit number of cases to process (0 = all)"
)
args = parser.parse_args()
# Resolve paths relative to repo root
repo_root = Path(__file__).parent.parent.parent
fixtures_path = repo_root / args.fixtures if not args.fixtures.is_absolute() else args.fixtures
output_path = repo_root / args.output if not args.output.is_absolute() else args.output
print(f"Fixtures path: {fixtures_path}")
print(f"Output path: {output_path}")
print(f"Dry run: {args.dry_run}")
# Load reachbench index
try:
index = load_reachbench_index(fixtures_path)
except FileNotFoundError as e:
print(f"Error: {e}", file=sys.stderr)
return 1
timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
cases = index.get("cases", [])
if args.limit > 0:
cases = cases[:args.limit]
print(f"Processing {len(cases)} cases...")
all_results = []
for case in cases:
case_id = case["id"]
case_path_rel = case.get("path", f"cases/{case_id}")
case_path = fixtures_path / case_path_rel
if not case_path.exists():
print(f" Warning: Case path not found: {case_path}")
continue
print(f" Processing: {case_id}")
result = populate_finding(
case_id=case_id,
case_data=case,
case_path=case_path,
output_dir=output_path,
timestamp=timestamp,
dry_run=args.dry_run
)
all_results.append(result)
for v in result["variants_processed"]:
print(f" - {v['finding_id']}: {v['vex_status']}")
# Summary
total_findings = sum(len(r["variants_processed"]) for r in all_results)
print(f"\nGenerated {total_findings} findings from {len(all_results)} cases")
if args.dry_run:
print("(dry-run mode - no files written)")
return 0
if __name__ == "__main__":
sys.exit(main())

107
scripts/bench/run-baseline.sh Normal file
View File

@@ -0,0 +1,107 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: AGPL-3.0-or-later
# BENCH-AUTO-401-019: Run baseline benchmark automation
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
log_info() { echo -e "${GREEN}[INFO]${NC} $*"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
log_error() { echo -e "${RED}[ERROR]${NC} $*"; }
usage() {
echo "Usage: $0 [--populate] [--compute] [--compare BASELINE] [--all]"
echo ""
echo "Run benchmark automation pipeline."
echo ""
echo "Options:"
echo " --populate Populate bench/findings from reachbench fixtures"
echo " --compute Compute metrics from findings"
echo " --compare BASELINE Compare with baseline scanner results"
echo " --all Run all steps (populate + compute)"
echo " --dry-run Don't write files (populate only)"
echo " --limit N Limit cases processed (populate only)"
echo " --help, -h Show this help"
exit 1
}
DO_POPULATE=false
DO_COMPUTE=false
BASELINE_PATH=""
DRY_RUN=""
LIMIT=""
while [[ $# -gt 0 ]]; do
case $1 in
--populate)
DO_POPULATE=true
shift
;;
--compute)
DO_COMPUTE=true
shift
;;
--compare)
BASELINE_PATH="$2"
shift 2
;;
--all)
DO_POPULATE=true
DO_COMPUTE=true
shift
;;
--dry-run)
DRY_RUN="--dry-run"
shift
;;
--limit)
LIMIT="--limit $2"
shift 2
;;
--help|-h)
usage
;;
*)
log_error "Unknown option: $1"
usage
;;
esac
done
if [[ "$DO_POPULATE" == false && "$DO_COMPUTE" == false && -z "$BASELINE_PATH" ]]; then
log_error "No action specified"
usage
fi
cd "$REPO_ROOT"
# Step 1: Populate findings
if [[ "$DO_POPULATE" == true ]]; then
log_info "Step 1: Populating findings from reachbench fixtures..."
python3 scripts/bench/populate-findings.py $DRY_RUN $LIMIT
echo ""
fi
# Step 2: Compute metrics
if [[ "$DO_COMPUTE" == true ]]; then
log_info "Step 2: Computing metrics..."
python3 scripts/bench/compute-metrics.py --json
echo ""
fi
# Step 3: Compare with baseline
if [[ -n "$BASELINE_PATH" ]]; then
log_info "Step 3: Comparing with baseline..."
python3 bench/tools/compare.py --baseline "$BASELINE_PATH" --json
echo ""
fi
log_info "Benchmark automation complete!"
log_info "Results available in bench/results/"

95
scripts/reachability/run_all.ps1 Normal file
View File

@@ -0,0 +1,95 @@
# SPDX-License-Identifier: AGPL-3.0-or-later
# QA-CORPUS-401-031: Deterministic runner for reachability corpus tests (Windows)
[CmdletBinding()]
param(
[Parameter(HelpMessage = "xUnit filter pattern (e.g., 'CorpusFixtureTests')")]
[string]$Filter,
[Parameter(HelpMessage = "Test verbosity level")]
[ValidateSet("quiet", "minimal", "normal", "detailed", "diagnostic")]
[string]$Verbosity = "normal",
[Parameter(HelpMessage = "Build configuration")]
[ValidateSet("Debug", "Release")]
[string]$Configuration = "Release",
[Parameter(HelpMessage = "Skip build step")]
[switch]$NoBuild
)
$ErrorActionPreference = "Stop"
$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$RepoRoot = (Resolve-Path (Join-Path $ScriptDir "..\..")).Path
$TestProject = Join-Path $RepoRoot "tests\reachability\StellaOps.Reachability.FixtureTests\StellaOps.Reachability.FixtureTests.csproj"
function Write-LogInfo { param($Message) Write-Host "[INFO] $Message" -ForegroundColor Green }
function Write-LogWarn { param($Message) Write-Host "[WARN] $Message" -ForegroundColor Yellow }
function Write-LogError { param($Message) Write-Host "[ERROR] $Message" -ForegroundColor Red }
Write-LogInfo "Reachability Corpus Test Runner (Windows)"
Write-LogInfo "Repository root: $RepoRoot"
Write-LogInfo "Test project: $TestProject"
# Verify prerequisites
$dotnetPath = Get-Command dotnet -ErrorAction SilentlyContinue
if (-not $dotnetPath) {
Write-LogError "dotnet CLI not found. Please install .NET SDK."
exit 1
}
# Verify corpus exists
$corpusManifest = Join-Path $RepoRoot "tests\reachability\corpus\manifest.json"
if (-not (Test-Path $corpusManifest)) {
Write-LogError "Corpus manifest not found at $corpusManifest"
exit 1
}
$reachbenchIndex = Join-Path $RepoRoot "tests\reachability\fixtures\reachbench-2025-expanded\INDEX.json"
if (-not (Test-Path $reachbenchIndex)) {
Write-LogError "Reachbench INDEX not found at $reachbenchIndex"
exit 1
}
# Build if needed
if (-not $NoBuild) {
Write-LogInfo "Building test project ($Configuration)..."
& dotnet build $TestProject -c $Configuration --nologo
if ($LASTEXITCODE -ne 0) {
Write-LogError "Build failed"
exit $LASTEXITCODE
}
}
# Build test command arguments
$testArgs = @(
"test"
$TestProject
"-c"
$Configuration
"--no-build"
"--verbosity"
$Verbosity
)
if ($Filter) {
$testArgs += "--filter"
$testArgs += "FullyQualifiedName~$Filter"
Write-LogInfo "Running tests with filter: $Filter"
} else {
Write-LogInfo "Running all fixture tests..."
}
# Run tests
Write-LogInfo "Executing: dotnet $($testArgs -join ' ')"
& dotnet @testArgs
$exitCode = $LASTEXITCODE
if ($exitCode -eq 0) {
Write-LogInfo "All tests passed!"
} else {
Write-LogError "Some tests failed (exit code: $exitCode)"
}
exit $exitCode

118
scripts/reachability/run_all.sh Normal file
View File

@@ -0,0 +1,118 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: AGPL-3.0-or-later
# QA-CORPUS-401-031: Deterministic runner for reachability corpus tests
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
TEST_PROJECT="${REPO_ROOT}/tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
log_info() { echo -e "${GREEN}[INFO]${NC} $*"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
log_error() { echo -e "${RED}[ERROR]${NC} $*"; }
# Parse arguments
FILTER=""
VERBOSITY="normal"
CONFIGURATION="Release"
NO_BUILD=false
while [[ $# -gt 0 ]]; do
case $1 in
--filter)
FILTER="$2"
shift 2
;;
--verbosity|-v)
VERBOSITY="$2"
shift 2
;;
--configuration|-c)
CONFIGURATION="$2"
shift 2
;;
--no-build)
NO_BUILD=true
shift
;;
--help|-h)
echo "Usage: $0 [options]"
echo ""
echo "Options:"
echo " --filter <pattern> xUnit filter pattern (e.g., 'CorpusFixtureTests')"
echo " --verbosity, -v <level> Test verbosity (quiet, minimal, normal, detailed, diagnostic)"
echo " --configuration, -c Build configuration (Debug, Release)"
echo " --no-build Skip build step"
echo " --help, -h Show this help"
echo ""
echo "Examples:"
echo " $0 # Run all fixture tests"
echo " $0 --filter CorpusFixtureTests # Run only corpus tests"
echo " $0 --filter ReachbenchFixtureTests # Run only reachbench tests"
exit 0
;;
*)
log_error "Unknown option: $1"
exit 1
;;
esac
done
cd "${REPO_ROOT}"
log_info "Reachability Corpus Test Runner"
log_info "Repository root: ${REPO_ROOT}"
log_info "Test project: ${TEST_PROJECT}"
# Verify prerequisites
if ! command -v dotnet &> /dev/null; then
log_error "dotnet CLI not found. Please install .NET SDK."
exit 1
fi
# Verify corpus exists
if [[ ! -f "${REPO_ROOT}/tests/reachability/corpus/manifest.json" ]]; then
log_error "Corpus manifest not found at tests/reachability/corpus/manifest.json"
exit 1
fi
if [[ ! -f "${REPO_ROOT}/tests/reachability/fixtures/reachbench-2025-expanded/INDEX.json" ]]; then
log_error "Reachbench INDEX not found at tests/reachability/fixtures/reachbench-2025-expanded/INDEX.json"
exit 1
fi
# Build if needed
if [[ "${NO_BUILD}" == false ]]; then
log_info "Building test project (${CONFIGURATION})..."
dotnet build "${TEST_PROJECT}" -c "${CONFIGURATION}" --nologo
fi
# Build test command
TEST_CMD="dotnet test ${TEST_PROJECT} -c ${CONFIGURATION} --no-build --verbosity ${VERBOSITY}"
if [[ -n "${FILTER}" ]]; then
TEST_CMD="${TEST_CMD} --filter \"FullyQualifiedName~${FILTER}\""
log_info "Running tests with filter: ${FILTER}"
else
log_info "Running all fixture tests..."
fi
# Run tests
log_info "Executing: ${TEST_CMD}"
eval "${TEST_CMD}"
EXIT_CODE=$?
if [[ ${EXIT_CODE} -eq 0 ]]; then
log_info "All tests passed!"
else
log_error "Some tests failed (exit code: ${EXIT_CODE})"
fi
exit ${EXIT_CODE}

73
scripts/reachability/verify_corpus_hashes.sh Normal file
View File

@@ -0,0 +1,73 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: AGPL-3.0-or-later
# QA-CORPUS-401-031: Verify SHA-256 hashes in corpus manifest
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
CORPUS_DIR="${REPO_ROOT}/tests/reachability/corpus"
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'
log_info() { echo -e "${GREEN}[INFO]${NC} $*"; }
log_error() { echo -e "${RED}[ERROR]${NC} $*"; }
cd "${CORPUS_DIR}"
if [[ ! -f "manifest.json" ]]; then
log_error "manifest.json not found in ${CORPUS_DIR}"
exit 1
fi
log_info "Verifying corpus hashes..."
# Use Python for JSON parsing (more portable than jq)
python3 << 'PYTHON_SCRIPT'
import json
import hashlib
import os
import sys
with open('manifest.json') as f:
manifest = json.load(f)
errors = []
verified = 0
for entry in manifest:
case_id = entry['id']
lang = entry['language']
case_dir = os.path.join(lang, case_id)
if not os.path.isdir(case_dir):
errors.append(f"{case_id}: case directory missing ({case_dir})")
continue
for filename, expected_hash in entry['files'].items():
filepath = os.path.join(case_dir, filename)
if not os.path.exists(filepath):
errors.append(f"{case_id}: {filename} not found")
continue
with open(filepath, 'rb') as f:
actual_hash = hashlib.sha256(f.read()).hexdigest()
if actual_hash != expected_hash:
errors.append(f"{case_id}: {filename} hash mismatch")
errors.append(f" expected: {expected_hash}")
errors.append(f" actual: {actual_hash}")
else:
verified += 1
if errors:
print(f"\033[0;31m[ERROR]\033[0m Hash verification failed:")
for err in errors:
print(f" {err}")
sys.exit(1)
else:
print(f"\033[0;32m[INFO]\033[0m Verified {verified} files across {len(manifest)} corpus entries")
sys.exit(0)
PYTHON_SCRIPT

30
src/AirGap/StellaOps.AirGap.Storage.Postgres.Tests/AirGapPostgresFixture.cs Normal file
View File

@@ -0,0 +1,30 @@
using System.Reflection;
using StellaOps.AirGap.Storage.Postgres;
using StellaOps.Infrastructure.Postgres.Testing;
using Xunit;
namespace StellaOps.AirGap.Storage.Postgres.Tests;
/// <summary>
/// PostgreSQL integration test fixture for the AirGap module.
/// Runs migrations from embedded resources and provides test isolation.
/// </summary>
public sealed class AirGapPostgresFixture : PostgresIntegrationFixture, ICollectionFixture<AirGapPostgresFixture>
{
protected override Assembly? GetMigrationAssembly()
=> typeof(AirGapDataSource).Assembly;
protected override string GetModuleName() => "AirGap";
protected override string? GetResourcePrefix() => "Migrations";
}
/// <summary>
/// Collection definition for AirGap PostgreSQL integration tests.
/// Tests in this collection share a single PostgreSQL container instance.
/// </summary>
[CollectionDefinition(Name)]
public sealed class AirGapPostgresCollection : ICollectionFixture<AirGapPostgresFixture>
{
public const string Name = "AirGapPostgres";
}

167
src/AirGap/StellaOps.AirGap.Storage.Postgres.Tests/PostgresAirGapStateStoreTests.cs Normal file
View File

@@ -0,0 +1,167 @@
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.AirGap.Controller.Domain;
using StellaOps.AirGap.Storage.Postgres;
using StellaOps.AirGap.Storage.Postgres.Repositories;
using StellaOps.AirGap.Time.Models;
using StellaOps.Infrastructure.Postgres.Options;
using Xunit;
namespace StellaOps.AirGap.Storage.Postgres.Tests;
[Collection(AirGapPostgresCollection.Name)]
public sealed class PostgresAirGapStateStoreTests : IAsyncLifetime
{
private readonly AirGapPostgresFixture _fixture;
private readonly PostgresAirGapStateStore _store;
private readonly AirGapDataSource _dataSource;
private readonly string _tenantId = "tenant-" + Guid.NewGuid().ToString("N")[..8];
public PostgresAirGapStateStoreTests(AirGapPostgresFixture fixture)
{
_fixture = fixture;
var options = Options.Create(new PostgresOptions
{
ConnectionString = fixture.ConnectionString,
SchemaName = AirGapDataSource.DefaultSchemaName,
AutoMigrate = false
});
_dataSource = new AirGapDataSource(options, NullLogger<AirGapDataSource>.Instance);
_store = new PostgresAirGapStateStore(_dataSource, NullLogger<PostgresAirGapStateStore>.Instance);
}
public async Task InitializeAsync()
{
await _fixture.TruncateAllTablesAsync();
}
public async Task DisposeAsync()
{
await _dataSource.DisposeAsync();
}
[Fact]
public async Task GetAsync_ReturnsDefaultStateForNewTenant()
{
// Act
var state = await _store.GetAsync(_tenantId);
// Assert
state.Should().NotBeNull();
state.TenantId.Should().Be(_tenantId);
state.Sealed.Should().BeFalse();
state.PolicyHash.Should().BeNull();
}
[Fact]
public async Task SetAndGet_RoundTripsState()
{
// Arrange
var timeAnchor = new TimeAnchor(
DateTimeOffset.UtcNow,
"tsa.example.com",
"RFC3161",
"sha256:fingerprint123",
"sha256:tokendigest456");
var state = new AirGapState
{
Id = Guid.NewGuid().ToString("N"),
TenantId = _tenantId,
Sealed = true,
PolicyHash = "sha256:policy789",
TimeAnchor = timeAnchor,
LastTransitionAt = DateTimeOffset.UtcNow,
StalenessBudget = new StalenessBudget(1800, 3600),
DriftBaselineSeconds = 5,
ContentBudgets = new Dictionary<string, StalenessBudget>
{
["advisories"] = new StalenessBudget(7200, 14400),
["vex"] = new StalenessBudget(3600, 7200)
}
};
// Act
await _store.SetAsync(state);
var fetched = await _store.GetAsync(_tenantId);
// Assert
fetched.Should().NotBeNull();
fetched.Sealed.Should().BeTrue();
fetched.PolicyHash.Should().Be("sha256:policy789");
fetched.TimeAnchor.Source.Should().Be("tsa.example.com");
fetched.TimeAnchor.Format.Should().Be("RFC3161");
fetched.StalenessBudget.WarningSeconds.Should().Be(1800);
fetched.StalenessBudget.BreachSeconds.Should().Be(3600);
fetched.DriftBaselineSeconds.Should().Be(5);
fetched.ContentBudgets.Should().HaveCount(2);
fetched.ContentBudgets["advisories"].WarningSeconds.Should().Be(7200);
}
[Fact]
public async Task SetAsync_UpdatesExistingState()
{
// Arrange
var state1 = new AirGapState
{
Id = Guid.NewGuid().ToString("N"),
TenantId = _tenantId,
Sealed = false,
TimeAnchor = TimeAnchor.Unknown,
StalenessBudget = StalenessBudget.Default
};
var state2 = new AirGapState
{
Id = state1.Id,
TenantId = _tenantId,
Sealed = true,
PolicyHash = "sha256:updated",
TimeAnchor = new TimeAnchor(DateTimeOffset.UtcNow, "updated-source", "rfc3161", "", ""),
LastTransitionAt = DateTimeOffset.UtcNow,
StalenessBudget = new StalenessBudget(600, 1200)
};
// Act
await _store.SetAsync(state1);
await _store.SetAsync(state2);
var fetched = await _store.GetAsync(_tenantId);
// Assert
fetched.Sealed.Should().BeTrue();
fetched.PolicyHash.Should().Be("sha256:updated");
fetched.TimeAnchor.Source.Should().Be("updated-source");
fetched.StalenessBudget.WarningSeconds.Should().Be(600);
}
[Fact]
public async Task SetAsync_PersistsContentBudgets()
{
// Arrange
var state = new AirGapState
{
Id = Guid.NewGuid().ToString("N"),
TenantId = _tenantId,
TimeAnchor = TimeAnchor.Unknown,
StalenessBudget = StalenessBudget.Default,
ContentBudgets = new Dictionary<string, StalenessBudget>
{
["advisories"] = new StalenessBudget(3600, 7200),
["vex"] = new StalenessBudget(1800, 3600),
["policy"] = new StalenessBudget(900, 1800)
}
};
// Act
await _store.SetAsync(state);
var fetched = await _store.GetAsync(_tenantId);
// Assert
fetched.ContentBudgets.Should().HaveCount(3);
fetched.ContentBudgets.Should().ContainKey("advisories");
fetched.ContentBudgets.Should().ContainKey("vex");
fetched.ContentBudgets.Should().ContainKey("policy");
}
}

33
src/AirGap/StellaOps.AirGap.Storage.Postgres.Tests/StellaOps.AirGap.Storage.Postgres.Tests.csproj Normal file
View File

@@ -0,0 +1,33 @@
<?xml version="1.0" ?>
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<LangVersion>preview</LangVersion>
<IsPackable>false</IsPackable>
<IsTestProject>true</IsTestProject>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="FluentAssertions" Version="6.12.0" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.0" />
<PackageReference Include="xunit" Version="2.9.3" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.8.2">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
<PackageReference Include="coverlet.collector" Version="6.0.4">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\StellaOps.AirGap.Storage.Postgres\StellaOps.AirGap.Storage.Postgres.csproj" />
<ProjectReference Include="..\StellaOps.AirGap.Controller\StellaOps.AirGap.Controller.csproj" />
<ProjectReference Include="..\..\__Libraries\StellaOps.Infrastructure.Postgres.Testing\StellaOps.Infrastructure.Postgres.Testing.csproj" />
</ItemGroup>
</Project>

177
src/Aoc/StellaOps.Aoc.Cli/Commands/VerifyCommand.cs Normal file
View File

@@ -0,0 +1,177 @@
using System.CommandLine;
using System.CommandLine.Invocation;
using System.Text.Json;
using StellaOps.Aoc.Cli.Models;
using StellaOps.Aoc.Cli.Services;
namespace StellaOps.Aoc.Cli.Commands;
public static class VerifyCommand
{
public static Command Create()
{
var sinceOption = new Option<string>(
aliases: ["--since", "-s"],
description: "Git commit SHA or ISO timestamp to verify from")
{
IsRequired = true
};
var mongoOption = new Option<string?>(
aliases: ["--mongo", "-m"],
description: "MongoDB connection string (legacy support)");
var postgresOption = new Option<string?>(
aliases: ["--postgres", "-p"],
description: "PostgreSQL connection string");
var outputOption = new Option<string?>(
aliases: ["--output", "-o"],
description: "Path for JSON output report");
var ndjsonOption = new Option<string?>(
aliases: ["--ndjson", "-n"],
description: "Path for NDJSON output (one violation per line)");
var tenantOption = new Option<string?>(
aliases: ["--tenant", "-t"],
description: "Filter by tenant ID");
var dryRunOption = new Option<bool>(
aliases: ["--dry-run"],
description: "Validate configuration without querying database",
getDefaultValue: () => false);
var verboseOption = new Option<bool>(
aliases: ["--verbose", "-v"],
description: "Enable verbose output",
getDefaultValue: () => false);
var command = new Command("verify", "Verify AOC compliance for documents since a given point")
{
sinceOption,
mongoOption,
postgresOption,
outputOption,
ndjsonOption,
tenantOption,
dryRunOption,
verboseOption
};
command.SetHandler(async (context) =>
{
var since = context.ParseResult.GetValueForOption(sinceOption)!;
var mongo = context.ParseResult.GetValueForOption(mongoOption);
var postgres = context.ParseResult.GetValueForOption(postgresOption);
var output = context.ParseResult.GetValueForOption(outputOption);
var ndjson = context.ParseResult.GetValueForOption(ndjsonOption);
var tenant = context.ParseResult.GetValueForOption(tenantOption);
var dryRun = context.ParseResult.GetValueForOption(dryRunOption);
var verbose = context.ParseResult.GetValueForOption(verboseOption);
var options = new VerifyOptions
{
Since = since,
MongoConnectionString = mongo,
PostgresConnectionString = postgres,
OutputPath = output,
NdjsonPath = ndjson,
Tenant = tenant,
DryRun = dryRun,
Verbose = verbose
};
var exitCode = await ExecuteAsync(options, context.GetCancellationToken());
context.ExitCode = exitCode;
});
return command;
}
private static async Task<int> ExecuteAsync(VerifyOptions options, CancellationToken cancellationToken)
{
if (options.Verbose)
{
Console.WriteLine($"AOC Verify starting...");
Console.WriteLine($" Since: {options.Since}");
Console.WriteLine($" Tenant: {options.Tenant ?? "(all)"}");
Console.WriteLine($" Dry run: {options.DryRun}");
}
// Validate connection string is provided
if (string.IsNullOrEmpty(options.MongoConnectionString) && string.IsNullOrEmpty(options.PostgresConnectionString))
{
Console.Error.WriteLine("Error: Either --mongo or --postgres connection string is required");
return 1;
}
if (options.DryRun)
{
Console.WriteLine("Dry run mode - configuration validated successfully");
return 0;
}
try
{
var service = new AocVerificationService();
var result = await service.VerifyAsync(options, cancellationToken);
// Write JSON output if requested
if (!string.IsNullOrEmpty(options.OutputPath))
{
var json = JsonSerializer.Serialize(result, new JsonSerializerOptions
{
WriteIndented = true,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
});
await File.WriteAllTextAsync(options.OutputPath, json, cancellationToken);
if (options.Verbose)
{
Console.WriteLine($"JSON report written to: {options.OutputPath}");
}
}
// Write NDJSON output if requested
if (!string.IsNullOrEmpty(options.NdjsonPath))
{
var ndjsonLines = result.Violations.Select(v =>
JsonSerializer.Serialize(v, new JsonSerializerOptions { PropertyNamingPolicy = JsonNamingPolicy.CamelCase }));
await File.WriteAllLinesAsync(options.NdjsonPath, ndjsonLines, cancellationToken);
if (options.Verbose)
{
Console.WriteLine($"NDJSON report written to: {options.NdjsonPath}");
}
}
// Output summary
Console.WriteLine($"AOC Verification Complete");
Console.WriteLine($" Documents scanned: {result.DocumentsScanned}");
Console.WriteLine($" Violations found: {result.ViolationCount}");
Console.WriteLine($" Duration: {result.DurationMs}ms");
if (result.ViolationCount > 0)
{
Console.WriteLine();
Console.WriteLine("Violations by type:");
foreach (var group in result.Violations.GroupBy(v => v.Code))
{
Console.WriteLine($" {group.Key}: {group.Count()}");
}
}
return result.ViolationCount > 0 ? 2 : 0;
}
catch (Exception ex)
{
Console.Error.WriteLine($"Error during verification: {ex.Message}");
if (options.Verbose)
{
Console.Error.WriteLine(ex.StackTrace);
}
return 1;
}
}
}

57
src/Aoc/StellaOps.Aoc.Cli/Models/VerificationResult.cs Normal file
View File

@@ -0,0 +1,57 @@
using System.Text.Json.Serialization;
namespace StellaOps.Aoc.Cli.Models;
public sealed class VerificationResult
{
[JsonPropertyName("since")]
public required string Since { get; init; }
[JsonPropertyName("tenant")]
public string? Tenant { get; init; }
[JsonPropertyName("verifiedAt")]
public DateTimeOffset VerifiedAt { get; init; } = DateTimeOffset.UtcNow;
[JsonPropertyName("documentsScanned")]
public int DocumentsScanned { get; set; }
[JsonPropertyName("violationCount")]
public int ViolationCount => Violations.Count;
[JsonPropertyName("violations")]
public List<DocumentViolation> Violations { get; init; } = [];
[JsonPropertyName("durationMs")]
public long DurationMs { get; set; }
[JsonPropertyName("status")]
public string Status => ViolationCount == 0 ? "PASS" : "FAIL";
}
public sealed class DocumentViolation
{
[JsonPropertyName("documentId")]
public required string DocumentId { get; init; }
[JsonPropertyName("collection")]
public required string Collection { get; init; }
[JsonPropertyName("code")]
public required string Code { get; init; }
[JsonPropertyName("path")]
public required string Path { get; init; }
[JsonPropertyName("message")]
public required string Message { get; init; }
[JsonPropertyName("tenant")]
public string? Tenant { get; init; }
[JsonPropertyName("detectedAt")]
public DateTimeOffset DetectedAt { get; init; } = DateTimeOffset.UtcNow;
[JsonPropertyName("documentTimestamp")]
public DateTimeOffset? DocumentTimestamp { get; init; }
}

13
src/Aoc/StellaOps.Aoc.Cli/Models/VerifyOptions.cs Normal file
View File

@@ -0,0 +1,13 @@
namespace StellaOps.Aoc.Cli.Models;
public sealed class VerifyOptions
{
public required string Since { get; init; }
public string? MongoConnectionString { get; init; }
public string? PostgresConnectionString { get; init; }
public string? OutputPath { get; init; }
public string? NdjsonPath { get; init; }
public string? Tenant { get; init; }
public bool DryRun { get; init; }
public bool Verbose { get; init; }
}

18
src/Aoc/StellaOps.Aoc.Cli/Program.cs Normal file
View File

@@ -0,0 +1,18 @@
using System.CommandLine;
using System.Text.Json;
using StellaOps.Aoc.Cli.Commands;
namespace StellaOps.Aoc.Cli;
public static class Program
{
public static async Task<int> Main(string[] args)
{
var rootCommand = new RootCommand("StellaOps AOC CLI - Verify append-only contract compliance")
{
VerifyCommand.Create()
};
return await rootCommand.InvokeAsync(args);
}
}

256
src/Aoc/StellaOps.Aoc.Cli/Services/AocVerificationService.cs Normal file
View File

@@ -0,0 +1,256 @@
using System.Diagnostics;
using System.Text.Json;
using Npgsql;
using StellaOps.Aoc.Cli.Models;
namespace StellaOps.Aoc.Cli.Services;
public sealed class AocVerificationService
{
private readonly AocWriteGuard _guard = new();
public async Task<VerificationResult> VerifyAsync(VerifyOptions options, CancellationToken cancellationToken = default)
{
var stopwatch = Stopwatch.StartNew();
var result = new VerificationResult
{
Since = options.Since,
Tenant = options.Tenant
};
// Parse the since parameter
var sinceTimestamp = ParseSinceParameter(options.Since);
// Route to appropriate database verification
if (!string.IsNullOrEmpty(options.PostgresConnectionString))
{
await VerifyPostgresAsync(options.PostgresConnectionString, sinceTimestamp, options.Tenant, result, cancellationToken);
}
else if (!string.IsNullOrEmpty(options.MongoConnectionString))
{
// MongoDB support - for legacy verification
// Note: The codebase is transitioning to PostgreSQL
await VerifyMongoAsync(options.MongoConnectionString, sinceTimestamp, options.Tenant, result, cancellationToken);
}
stopwatch.Stop();
result.DurationMs = stopwatch.ElapsedMilliseconds;
return result;
}
private static DateTimeOffset ParseSinceParameter(string since)
{
// Try parsing as ISO timestamp first
if (DateTimeOffset.TryParse(since, out var timestamp))
{
return timestamp;
}
// If it looks like a git commit SHA, use current time minus a default window
// In a real implementation, we'd query git for the commit timestamp
if (since.Length >= 7 && since.All(c => char.IsLetterOrDigit(c)))
{
// Default to 24 hours ago for commit-based queries
// The actual implementation would resolve the commit timestamp
return DateTimeOffset.UtcNow.AddHours(-24);
}
// Default fallback
return DateTimeOffset.UtcNow.AddDays(-1);
}
private async Task VerifyPostgresAsync(
string connectionString,
DateTimeOffset since,
string? tenant,
VerificationResult result,
CancellationToken cancellationToken)
{
await using var connection = new NpgsqlConnection(connectionString);
await connection.OpenAsync(cancellationToken);
// Query advisory_raw documents from Concelier
await VerifyConcelierDocumentsAsync(connection, since, tenant, result, cancellationToken);
// Query VEX documents from Excititor
await VerifyExcititorDocumentsAsync(connection, since, tenant, result, cancellationToken);
}
private async Task VerifyConcelierDocumentsAsync(
NpgsqlConnection connection,
DateTimeOffset since,
string? tenant,
VerificationResult result,
CancellationToken cancellationToken)
{
var sql = """
SELECT id, tenant, content, created_at
FROM concelier.advisory_raw
WHERE created_at >= @since
""";
if (!string.IsNullOrEmpty(tenant))
{
sql += " AND tenant = @tenant";
}
await using var cmd = new NpgsqlCommand(sql, connection);
cmd.Parameters.AddWithValue("since", since);
if (!string.IsNullOrEmpty(tenant))
{
cmd.Parameters.AddWithValue("tenant", tenant);
}
try
{
await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
while (await reader.ReadAsync(cancellationToken))
{
result.DocumentsScanned++;
var docId = reader.GetString(0);
var docTenant = reader.IsDBNull(1) ? null : reader.GetString(1);
var contentJson = reader.GetString(2);
var createdAt = reader.GetDateTime(3);
try
{
using var doc = JsonDocument.Parse(contentJson);
var guardResult = _guard.Validate(doc.RootElement);
foreach (var violation in guardResult.Violations)
{
result.Violations.Add(new DocumentViolation
{
DocumentId = docId,
Collection = "concelier.advisory_raw",
Code = violation.Code.ToErrorCode(),
Path = violation.Path,
Message = violation.Message,
Tenant = docTenant,
DocumentTimestamp = new DateTimeOffset(createdAt, TimeSpan.Zero)
});
}
}
catch (JsonException)
{
result.Violations.Add(new DocumentViolation
{
DocumentId = docId,
Collection = "concelier.advisory_raw",
Code = "ERR_AOC_PARSE",
Path = "/",
Message = "Document content is not valid JSON",
Tenant = docTenant,
DocumentTimestamp = new DateTimeOffset(createdAt, TimeSpan.Zero)
});
}
}
}
catch (PostgresException ex) when (ex.SqlState == "42P01") // relation does not exist
{
// Table doesn't exist - this is okay for fresh installations
Console.WriteLine("Note: concelier.advisory_raw table not found (may not be initialized)");
}
}
private async Task VerifyExcititorDocumentsAsync(
NpgsqlConnection connection,
DateTimeOffset since,
string? tenant,
VerificationResult result,
CancellationToken cancellationToken)
{
var sql = """
SELECT id, tenant, document, created_at
FROM excititor.vex_documents
WHERE created_at >= @since
""";
if (!string.IsNullOrEmpty(tenant))
{
sql += " AND tenant = @tenant";
}
await using var cmd = new NpgsqlCommand(sql, connection);
cmd.Parameters.AddWithValue("since", since);
if (!string.IsNullOrEmpty(tenant))
{
cmd.Parameters.AddWithValue("tenant", tenant);
}
try
{
await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
while (await reader.ReadAsync(cancellationToken))
{
result.DocumentsScanned++;
var docId = reader.GetString(0);
var docTenant = reader.IsDBNull(1) ? null : reader.GetString(1);
var contentJson = reader.GetString(2);
var createdAt = reader.GetDateTime(3);
try
{
using var doc = JsonDocument.Parse(contentJson);
var guardResult = _guard.Validate(doc.RootElement);
foreach (var violation in guardResult.Violations)
{
result.Violations.Add(new DocumentViolation
{
DocumentId = docId,
Collection = "excititor.vex_documents",
Code = violation.Code.ToErrorCode(),
Path = violation.Path,
Message = violation.Message,
Tenant = docTenant,
DocumentTimestamp = new DateTimeOffset(createdAt, TimeSpan.Zero)
});
}
}
catch (JsonException)
{
result.Violations.Add(new DocumentViolation
{
DocumentId = docId,
Collection = "excititor.vex_documents",
Code = "ERR_AOC_PARSE",
Path = "/",
Message = "Document content is not valid JSON",
Tenant = docTenant,
DocumentTimestamp = new DateTimeOffset(createdAt, TimeSpan.Zero)
});
}
}
}
catch (PostgresException ex) when (ex.SqlState == "42P01") // relation does not exist
{
// Table doesn't exist - this is okay for fresh installations
Console.WriteLine("Note: excititor.vex_documents table not found (may not be initialized)");
}
}
private Task VerifyMongoAsync(
string connectionString,
DateTimeOffset since,
string? tenant,
VerificationResult result,
CancellationToken cancellationToken)
{
// MongoDB support is deprecated - log warning and return empty result
Console.WriteLine("Warning: MongoDB verification is deprecated. The codebase is transitioning to PostgreSQL.");
Console.WriteLine(" Use --postgres instead of --mongo for production verification.");
// For backwards compatibility during transition, we don't fail
// but we also don't perform actual MongoDB queries
return Task.CompletedTask;
}
}

25
src/Aoc/StellaOps.Aoc.Cli/StellaOps.Aoc.Cli.csproj Normal file
View File

@@ -0,0 +1,25 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<LangVersion>preview</LangVersion>
<AssemblyName>stella-aoc</AssemblyName>
<RootNamespace>StellaOps.Aoc.Cli</RootNamespace>
<Description>StellaOps AOC CLI - Verify append-only contract compliance in advisory databases</Description>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="System.CommandLine" Version="2.0.0-beta4.22272.1" />
<PackageReference Include="Microsoft.Extensions.Logging" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Logging.Console" Version="10.0.0" />
<PackageReference Include="Npgsql" Version="9.0.2" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\__Libraries\StellaOps.Aoc\StellaOps.Aoc.csproj" />
</ItemGroup>
</Project>

12
src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/AnalyzerReleases.Shipped.md Normal file
View File

@@ -0,0 +1,12 @@
; Shipped analyzer releases
; https://github.com/dotnet/roslyn-analyzers/blob/main/src/Microsoft.CodeAnalysis.Analyzers/ReleaseTrackingAnalyzers.Help.md
## Release 1.0
### New Rules
Rule ID | Category | Severity | Notes
--------|----------|----------|-------
AOC0001 | AOC | Error | AocForbiddenFieldAnalyzer - Detects writes to forbidden fields
AOC0002 | AOC | Error | AocForbiddenFieldAnalyzer - Detects writes to derived fields
AOC0003 | AOC | Warning | AocForbiddenFieldAnalyzer - Detects unguarded database writes

Some files were not shown because too many files have changed in this diff Show More