partly or unimplemented features - now implemented
This commit is contained in:
master
35
docs/features/unchecked/attestor/dsse-wrapped-reach-maps.md
Normal file
35
docs/features/unchecked/attestor/dsse-wrapped-reach-maps.md
Normal file
@@ -0,0 +1,35 @@
|
||||
# DSSE-Wrapped Reach-Maps
|
||||
|
||||
## Module
|
||||
Attestor
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Rich graphs and suppression witnesses exist with signing infrastructure available, but a specific "signed reach-map artifact" as a standalone DSSE-wrapped output is not distinctly implemented as described.
|
||||
|
||||
## What's Implemented
|
||||
- **Reachability Witness Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs` (with `.Path`) -- reachability witness data with call paths.
|
||||
- **Witness Path Nodes**: `Statements/WitnessCallPathNode.cs`, `WitnessPathNode.cs` -- call path node models.
|
||||
- **Micro Witness Evidence**: `Predicates/MicroWitnessFunctionEvidence.cs`, `MicroWitnessBinaryRef.cs`, `MicroWitnessCveRef.cs`, `MicroWitnessSbomRef.cs` -- function-level reachability evidence.
|
||||
- **DSSE Signing**: `Signing/ProofChainSigner.cs`, `DsseEnvelope.cs` -- available signing infrastructure.
|
||||
- **Proof Graph**: `Graph/InMemoryProofGraphService.cs` (with `.Mutation`, `.Queries`, `.Subgraph`) -- graph model for proof evidence.
|
||||
|
||||
## What's Missing
|
||||
- **Standalone reach-map artifact**: No dedicated reach-map document type that captures the full reachability graph (all functions, edges, and reachability status) as a single DSSE-wrapped artifact.
|
||||
- **Reach-map predicate type**: No registered predicate type URI (e.g., `https://stellaops.org/attestation/reachmap/v1`) for reach-map attestations.
|
||||
- **Full graph serialization**: Reachability evidence is captured per-CVE (micro-witness) not as a complete call graph that can be independently verified.
|
||||
- **Reach-map versioning**: No mechanism to version reach-maps and detect changes between scans.
|
||||
- **Reach-map OCI attachment**: No pipeline to attach DSSE-signed reach-maps to OCI images as referrers.
|
||||
|
||||
## Implementation Plan
|
||||
- Define a reach-map predicate type with full call graph serialization
|
||||
- Create a `ReachMapBuilder` that aggregates all micro-witness data into a single reach-map document
|
||||
- Implement DSSE signing for reach-map documents using existing `ProofChainSigner`
|
||||
- Add reach-map versioning with diff detection between scans
|
||||
- Wire OCI attachment via existing `OrasAttestationAttacher`
|
||||
- Add tests for reach-map building, signing, and versioning
|
||||
|
||||
## Related Documentation
|
||||
- Source: See feature catalog
|
||||
Reference in New Issue
Block a user