feat(zastava): add evidence locker plan and schema examples
- Introduced README.md for Zastava Evidence Locker Plan detailing artifacts to sign and post-signing steps. - Added example JSON schemas for observer events and webhook admissions. - Updated implementor guidelines with checklist for CI linting, determinism, secrets management, and schema control. - Created alert rules for Vuln Explorer to monitor API latency and projection errors. - Developed analytics ingestion plan for Vuln Explorer, focusing on telemetry and PII guardrails. - Implemented Grafana dashboard configuration for Vuln Explorer metrics visualization. - Added expected projection SHA256 for vulnerability events. - Created k6 load testing script for Vuln Explorer API. - Added sample projection and replay event data for testing. - Implemented ReplayInputsLock for deterministic replay inputs management. - Developed tests for ReplayInputsLock to ensure stable hash computation. - Created SurfaceManifestDeterminismVerifier to validate manifest determinism and integrity. - Added unit tests for SurfaceManifestDeterminismVerifier to ensure correct functionality. - Implemented Angular tests for VulnerabilityHttpClient and VulnerabilityDetailComponent to verify API interactions and UI rendering.
This commit is contained in:
StellaOps Bot
@@ -18,6 +18,7 @@ The service operates strictly downstream of the **Aggregation-Only Contract (AOC
|
||||
- Compile and evaluate `stella-dsl@1` policy packs into deterministic verdicts.
|
||||
- Join SBOM inventory, Concelier advisories, and Excititor VEX evidence via canonical linksets and equivalence tables.
|
||||
- Materialise effective findings (`effective_finding_{policyId}`) with append-only history and produce explain traces.
|
||||
- Emit CVSS v4.0 receipts with canonical hashing and policy replay/backfill rules; store tenant-scoped receipts with RBAC; export receipts deterministically (UTC/fonts/order) and flag v3.1→v4.0 conversions (see Sprint 0190 CVSS-GAPS-190-014 / `docs/modules/policy/cvss-v4.md`).
|
||||
- Emit per-finding OpenVEX decisions anchored to reachability evidence, forward them to Signer/Attestor for DSSE/Rekor, and publish the resulting artifacts for bench/verification consumers.
|
||||
- Consume reachability lattice decisions (`ReachDecision`, `docs/reachability/lattice.md`) to drive confidence-based VEX gates (not_affected / under_investigation / affected) and record the policy hash used for each decision.
|
||||
- Honor **hybrid reachability attestations**: graph-level DSSE is required input; when edge-bundle DSSEs exist, prefer their per-edge provenance for quarantine, dispute, and high-risk decisions. Quarantined edges (revoked in bundles or listed in Unknowns registry) must be excluded before VEX emission.
|
||||
|
||||
49
docs/modules/policy/cvss-v4.md
Normal file
49
docs/modules/policy/cvss-v4.md
Normal file
@@ -0,0 +1,49 @@
|
||||
# CVSS v4.0 Receipts – Hardening Guide
|
||||
|
||||
Source advisory: `docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` (CV1–CV10). This guide turns the gaps into implementable rules for Sprint 0190.
|
||||
|
||||
## Canonical hashing (CV2)
|
||||
- Serializer: JSON Canonicalization Scheme (JCS).
|
||||
- Ordering: lexicographic keys; arrays keep order; drop nulls.
|
||||
- Numbers: fixed 4-decimal precision; invariant culture; no exponent.
|
||||
- Time: UTC ISO-8601 `Z`; strip milliseconds unless non-zero.
|
||||
- Hash: SHA-256 of canonical JSON; store as `inputsHash` and DSSE subject.
|
||||
- Test vectors: `tests/Policy/StellaOps.Policy.Scoring.Tests/Fixtures/hashing/`.
|
||||
|
||||
## Policy replay & backfill (CV1)
|
||||
- Policies immutable; bump version for any change.
|
||||
- On change, emit new receipts with `supersedesReceiptId` and retain old ones.
|
||||
- Backfill job: re-score under new policy, append history, re-sign DSSE.
|
||||
|
||||
## Tenant segregation & RBAC (CV4, CV9)
|
||||
- Storage keys include `tenantId`; hashes/DSSE annotate tenant.
|
||||
- Roles: Security Engineer (Base), SOC Analyst (Threat), Customer Admin (Env), Viewer (read-only).
|
||||
- Enforce at API/repo layer and in canonical hash.
|
||||
|
||||
## Deterministic exports (CV8)
|
||||
- JSON export: JCS ordering, UTF-8, UTC timestamps, stable severity palette.
|
||||
- PDF export: embed fonts (Source Sans 3 + Roboto Mono), A4, fixed margins; hash PDF bytes and persist `exportHash`.
|
||||
|
||||
## v3.1 → v4.0 conversion (CV5)
|
||||
- Deterministic mapping; tag `source: "converted-v3.1"`, set `conversionMethod` + `confidence`; retain vendor vector.
|
||||
|
||||
## Evidence provenance (CV6)
|
||||
- Evidence items use CAS URIs + DSSE refs, include `retentionClass`, `redactionStatus`, `verifiedAt`, `hashMismatch`.
|
||||
|
||||
## Immutability & monitoring (CV7, CV10)
|
||||
- Receipts append-only; amendments create new IDs + DSSE.
|
||||
- Alerts: DSSE verify failures, policy hash drift, hash mismatch, engine version skew. Prometheus counters: `cvss_receipt_dsse_failures_total`, `cvss_policy_drift_total`, `cvss_hash_mismatch_total`.
|
||||
|
||||
## Golden fixtures & locations
|
||||
- Hashing vectors: `src/Policy/__Tests/StellaOps.Policy.Scoring.Tests/Fixtures/hashing/example-receipt-input.json` with expected hash `example-receipt-input.sha256`.
|
||||
- Receipts/exports under `tests/Policy/StellaOps.Policy.Scoring.Tests/Fixtures/` (expand as features land).
|
||||
- Sample PDFs in `Fixtures/exports/` once generated.
|
||||
|
||||
## Implementation checklist
|
||||
- Wire `ReceiptCanonicalizer` to JCS rules above.
|
||||
- Add backfill job + history persistence.
|
||||
- Enforce tenant/RBAC and annotate hashes/DSSE.
|
||||
- Implement deterministic PDF export and record `exportHash`.
|
||||
- Store conversion metadata for v3.1 sources.
|
||||
- Verify evidence CAS/DSSE on ingest; fail closed.
|
||||
- Expose metrics/alerts listed above.
|
||||
Reference in New Issue
Block a user