stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

sprints completion. new product advisories prepared

Browse Source
This commit is contained in:
master
2026-01-16 16:30:03 +02:00
parent a927d924e3
commit 4ca3ce8fb4
255 changed files with 42434 additions and 1020 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
docs/VEX_CONSENSUS_GUIDE.md
View File

@@ -186,3 +186,60 @@ See [Excititor Architecture](docs/modules/excititor/architecture.md#33-vex-chang
- `docs/modules/vex-lens/architecture.md`
- `docs/ARCHITECTURE_OVERVIEW.md`
- `docs/OFFLINE_KIT.md`
- `docs/modules/policy/determinization-api.md`
---
## Grey Queue and Unknown Mapping
> **Sprint:** SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue
When VEX correlation produces inconclusive results, observations are routed to the Grey Queue for monitoring or manual adjudication.
### Mapping to OpenVEX Status
Uncertain observations preserve OpenVEX spec alignment:
| Internal State | OpenVEX Status | Description |
|----------------|----------------|-------------|
| `PendingDeterminization` | `under_investigation` | Evidence incomplete; monitoring active |
| `Disputed` | `under_investigation` | Conflicting evidence from multiple sources |
| `GuardedPass` | `under_investigation` | Allowed with runtime guardrails |
### VEX Conflict Types
The Grey Queue surfaces VEX-specific conflicts:
| Conflict | Example | Resolution Path |
|----------|---------|-----------------|
| Status mismatch | Vendor says `not_affected`, distro says `affected` | Trust-weighted consensus or manual |
| Justification gap | Status `not_affected` but no justification provided | Request clarification or manual |
| Version range conflict | Overlapping but different affected ranges | Manual analysis |
| Supersession dispute | Multiple statements claim to supersede | Timestamp and trust resolution |
### Deterministic Conflict Detection
Conflicts are detected via structured comparison:
1. **Same vulnerability, same product, different status**`VexStatusConflict`
2. **VEX not_affected + confirmed reachability**`VexReachabilityContradiction`
3. **Multiple issuers, equal trust, opposite conclusions**`TrustTie`
### Console Behavior for Grey Queue
When displaying Grey Queue items:
- Show the observation state badge (e.g., "Pending" or "Disputed")
- Display all conflicting sources with provider identity
- Surface the reanalysis fingerprint for reproducibility
- List pending triggers awaiting data
- Provide action buttons for manual resolution
### Offline Grey Queue
In offline/air-gap mode:
- Grey Queue state is included in Offline Kit snapshots
- Manual adjudications are recorded locally and synced on reconnection
- Staleness budgets apply to pending determinations
- Conflict detection works with cached issuer trust data