stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Add sample proof bundle configurations and verification script
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Console CI / console-ci (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
VEX Proof Bundles / verify-bundles (push) Has been cancelled
Details

Browse Source 
- Introduced sample proof bundle configuration files for testing, including `sample-proof-bundle-config.dsse.json`, `sample-proof-bundle.dsse.json`, and `sample-proof-bundle.json`.
- Implemented a verification script `test_verify_sample.sh` to validate proof bundles against specified schemas and catalogs.
- Updated existing proof bundle configurations with new metadata, including versioning, created timestamps, and justification details.
- Enhanced evidence entries with expiration dates and hashes for better integrity checks.
- Ensured all new configurations adhere to the defined schema for consistency and reliability in testing.
This commit is contained in:
StellaOps Bot
2025-12-04 08:54:32 +02:00
parent e1262eb916
commit 4dc7cf834a
76 changed files with 3051 additions and 355 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
docs/benchmarks/vex-evidence-playbook.md
View File

@@ -1,26 +1,37 @@
# VEX Evidence Playbook (VEX1VEX10)
Status: Draft · Date: 2025-12-03
Status: Frozen · Date: 2025-12-04
Scope: Define deterministic VEX evidence bundles, justification catalog, and verification workflow for reachability evidence chain (Sprint 0401 tasks 62, 64, 65).
## Artifacts (frozen)
- Schema: `docs/benchmarks/vex-evidence-playbook.schema.json`
- Justification catalog (+ DSSE): `docs/benchmarks/vex-justifications.catalog.json`, `docs/benchmarks/vex-justifications.catalog.dsse.json`
- Proof bundle fixtures (+ DSSE): `tests/Vex/ProofBundles/sample-proof-bundle.json`, `tests/Vex/ProofBundles/sample-proof-bundle.dsse.json`, `tests/Vex/ProofBundles/sample-proof-bundle-config.json`, `tests/Vex/ProofBundles/sample-proof-bundle-config.dsse.json`
- CAS evidence set: `tests/Vex/ProofBundles/cas/` (graph, coverage, negative tests, runtime trace, config, flags + DSSE for graph/coverage)
- OpenVEX statement: `tests/Vex/ProofBundles/openvex-sample.json`
- OpenVEX config fixture: `tests/Vex/ProofBundles/openvex-config.json`
- Verifier + tests: `scripts/vex/verify_proof_bundle.py`, `tests/Vex/ProofBundles/test_verify_sample.sh`
- CI guard: `.gitea/workflows/vex-proof-bundles.yml`
## Goals
- Publish signed VEX justification catalog with DSSE predicates and canonical hashes.
- Require entry-point coverage %, negative tests, and config/flag hash enforcement for each justification.
- Provide offline-friendly proof bundle format with CAS paths and DSSE envelopes.
- Require entry-point coverage %, negative tests, and config/flag hash enforcement for each justification; re-evaluate on SBOM/graph/runtime change.
- Provide offline-friendly proof bundle format with CAS paths and DSSE envelopes; mandate OpenVEX canonical serialization and Rekor-ready signature digests.
## Bundle schema (draft)
- `proofBundle.schema.json` (to be placed under `docs/benchmarks/vex-evidence-playbook.schema.json`):
- `id`, `version`, `createdAt`, `createdBy`.
- `graph_hash` (BLAKE3-256), `graph_dsse` (sha256 of envelope).
- `entrypoints[]` with `id`, `coverage_percent`, `negative_tests` (bool), `config_hash` (sha256), `flags_hash` (sha256).
- `justification_id` (must exist in justification catalog), `justification_dsse` (optional hash).
- `evidence[]` items with `type` (`trace`, `coverage`, `sbom`, `scan`, `policy`), `cas_uri`, `hash`, `dsse` (optional), `expiresAt`.
- `signatures[]` DSSE/JWS entries with `keyId`, `sig`, `envelopeDigest`.
## Bundle schema (frozen)
- `docs/benchmarks/vex-evidence-playbook.schema.json` (JSON Schema 2020-12):
- `graph.hash` (BLAKE3-256 preferred) + `graph.dsse`.
- `openvex` block with canonical SHA-256 + BLAKE3 and statement id.
- `justification.id` (must exist in catalog) + optional DSSE ref.
- `entrypoints[]`: `coverage_percent` (must meet min threshold), `negative_tests`, `config_hash`, `flags_hash`.
- `evidence[]` (graph, coverage, runtime_trace, negative_test, config, flags, sbom, scan, policy) with CAS URI + hash + optional DSSE.
- `rbac` approvals, `reevaluation` triggers (sbom/graph/runtime true), `uncertainty` state (U0U3), optional `policy` summary.
- `signatures[]` with DSSE/JWS envelope digest and optional Rekor metadata.
## Justification catalog
- Canonical JSON, JCS normalized; BLAKE3 + SHA-256 recorded.
- Fields: `id`, `title`, `description`, `applicability` (list of predicates), `required_evidence` (array of types/hashes), `expiry`, `policy_links`.
- Signed with DSSE predicate `stella.ops/vexJustification@v1`.
- Canonical JSON, JCS normalized; BLAKE3 + SHA-256 recorded; DSSE sidecar at `docs/benchmarks/vex-justifications.catalog.dsse.json`.
- Fields per entry: `id`, `title`, `description`, `applicability`, `required_evidence`, `expiry_days`, `reevaluate_on`, `rbac`, `policy_links`, `uncertainty_gate`.
- Covers VEX1VEX10 (vulnerable_code_not_present, component_not_present, config_not_vulnerable, unreachable, runtime guard, compensating control, update staged, analysis ongoing, EOL scope, false positive proven).
## Determinism rules
- Canonical JSON with sorted keys; arrays sorted by `id`.
@@ -29,14 +40,9 @@ Scope: Define deterministic VEX evidence bundles, justification catalog, and ver
- DSSE subject = canonical JSON hash; verifier must check hash + signature.
## Offline verification
- `scripts/vex/verify_proof_bundle.py` (to be authored) validates schema, hashes, DSSE, and CAS availability.
- No network calls; CAS paths resolved locally via `--cas-root`.
- `scripts/vex/verify_proof_bundle.py` validates schema, catalog membership, DSSE references, CAS hashes, entrypoint coverage/negative tests, RBAC, reevaluation triggers, and uncertainty gates. No network calls; CAS paths resolved via `--cas-root`.
- Quick check: `tests/Vex/ProofBundles/test_verify_sample.sh`
## Fixtures (to add)
- `tests/Vex/ProofBundles/sample-proof-bundle.json` with matching DSSE.
- `docs/benchmarks/vex-justifications.catalog.json` with 5 sample justifications (VEX1VEX5).
## Next steps
- Freeze `proofBundle.schema.json` and justification catalog hashes.
- Implement `verify_proof_bundle.py` and add CI job to run it over fixtures.
- Wire sprint 0401 tasks 62/64/65 to these artifacts; update Decisions & Risks once frozen.
## Fixtures
- `tests/Vex/ProofBundles/sample-proof-bundle.json` (+ DSSE) grounded in CAS artefacts under `tests/Vex/ProofBundles/cas/`.
- `docs/benchmarks/vex-justifications.catalog.json` with VEX1VEX10 entries and DSSE sidecar.

225
docs/benchmarks/vex-evidence-playbook.schema.json Normal file
View File

@@ -0,0 +1,225 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stellaops.local/docs/benchmarks/vex-evidence-playbook.schema.json",
"title": "StellaOps VEX Proof Bundle",
"type": "object",
"additionalProperties": false,
"required": [
"id",
"version",
"created_at",
"created_by",
"graph",
"openvex",
"justification",
"entrypoints",
"evidence",
"rbac",
"reevaluation",
"uncertainty",
"signatures"
],
"properties": {
"id": {
"type": "string",
"description": "Stable proof bundle identifier (URN recommended)."
},
"version": {
"type": "string",
"description": "Semantic version of the bundle payload schema."
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "UTC timestamp when the bundle was produced."
},
"created_by": {
"type": "string",
"description": "Issuer of the bundle (service, user, or automation identity)."
},
"graph": {
"type": "object",
"additionalProperties": false,
"required": ["hash"],
"properties": {
"hash": {
"$ref": "#/definitions/digest",
"description": "BLAKE3-256 (preferred) or SHA-256 hash of the reachability graph."
},
"dsse": { "$ref": "#/definitions/dsseRef" },
"revision_id": {
"type": "string",
"description": "Optional graph revision identifier or CAS key."
}
}
},
"openvex": {
"type": "object",
"additionalProperties": false,
"required": ["path", "statement_id", "canonical_sha256", "canonical_blake3", "serialization"],
"properties": {
"path": { "type": "string" },
"statement_id": { "type": "string" },
"canonical_sha256": { "$ref": "#/definitions/sha256" },
"canonical_blake3": { "$ref": "#/definitions/blake3" },
"serialization": {
"type": "string",
"enum": ["canonical-json", "csaf", "cyclonedx"],
"description": "Serialization strategy for the OpenVEX payload."
}
}
},
"justification": {
"type": "object",
"additionalProperties": false,
"required": ["id"],
"properties": {
"id": {
"type": "string",
"description": "Justification catalog identifier (e.g., VEX1.vulnerable_code_not_present)."
},
"dsse": { "$ref": "#/definitions/dsseRef" }
}
},
"entrypoints": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"required": ["id", "coverage_percent", "negative_tests", "config_hash", "flags_hash"],
"properties": {
"id": { "type": "string" },
"coverage_percent": {
"type": "number",
"minimum": 0,
"maximum": 100
},
"negative_tests": { "type": "boolean" },
"config_hash": { "$ref": "#/definitions/sha256" },
"flags_hash": { "$ref": "#/definitions/sha256" },
"evidence_links": {
"type": "array",
"items": { "type": "string" }
}
}
}
},
"evidence": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"required": ["type", "cas_uri", "hash", "expires_at"],
"properties": {
"type": {
"type": "string",
"enum": ["graph", "coverage", "runtime_trace", "negative_test", "config", "flags", "sbom", "scan", "policy"]
},
"cas_uri": { "type": "string" },
"hash": { "$ref": "#/definitions/digest" },
"dsse": { "$ref": "#/definitions/dsseRef" },
"expires_at": { "type": "string", "format": "date-time" }
}
}
},
"rbac": {
"type": "object",
"additionalProperties": false,
"required": ["roles_allowed", "approvals_required"],
"properties": {
"roles_allowed": {
"type": "array",
"minItems": 1,
"items": { "type": "string" }
},
"approvals_required": {
"type": "integer",
"minimum": 1
},
"enforcement": {
"type": "string",
"description": "How RBAC is enforced (policy, signer, or both)."
}
}
},
"reevaluation": {
"type": "object",
"additionalProperties": false,
"required": ["on_sbom_change", "on_graph_change", "on_runtime_change"],
"properties": {
"on_sbom_change": { "type": "boolean" },
"on_graph_change": { "type": "boolean" },
"on_runtime_change": { "type": "boolean" },
"ttl_days": {
"type": "integer",
"minimum": 1,
"description": "Maximum lifetime before forced reevaluation."
}
}
},
"uncertainty": {
"type": "object",
"additionalProperties": false,
"required": ["state", "entropy"],
"properties": {
"state": { "type": "string", "enum": ["U0-none", "U1-low", "U2-medium", "U3-high"] },
"entropy": { "type": "number", "minimum": 0, "maximum": 1 },
"notes": { "type": "string" }
}
},
"policy": {
"type": "object",
"additionalProperties": false,
"properties": {
"decision": { "type": "string" },
"decision_reason": { "type": "string" },
"openvex_serialization": { "type": "string" },
"canonical_encoding": { "type": "string" }
}
},
"signatures": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"required": ["type", "key_id", "envelope_digest"],
"properties": {
"type": { "type": "string", "enum": ["dsse", "jws"] },
"key_id": { "type": "string" },
"sig": { "type": "string" },
"envelope_digest": { "$ref": "#/definitions/sha256" },
"rekor_log_id": { "type": "string" },
"rekor_entry_uuid": { "type": "string" },
"transparency_checkpoint": { "type": "string" }
}
}
}
},
"definitions": {
"sha256": {
"type": "string",
"pattern": "^sha256:[A-Fa-f0-9]{64}$"
},
"blake3": {
"type": "string",
"pattern": "^blake3:[A-Fa-f0-9]{64}$"
},
"digest": {
"type": "string",
"pattern": "^(sha256|blake3):[A-Fa-f0-9]{64}$"
},
"dsseRef": {
"type": "object",
"additionalProperties": false,
"required": ["path", "sha256"],
"properties": {
"path": { "type": "string" },
"sha256": { "$ref": "#/definitions/sha256" },
"payload_sha256": { "$ref": "#/definitions/sha256" }
}
}
}
}

19
docs/benchmarks/vex-justifications.catalog.dsse.json Normal file
View File

File diff suppressed because one or more lines are too long

265
docs/benchmarks/vex-justifications.catalog.json Normal file
View File

@@ -0,0 +1,265 @@
{
"version": "1.0.0",
"generated_at": "2025-12-04T00:00:00Z",
"entries": [
{
"id": "VEX1.vulnerable_code_not_present",
"title": "Vulnerable code removed or not shipped",
"description": "Binary artifacts do not contain the vulnerable code paths; validated via reachability graph and reproducible build metadata.",
"applicability": [
"not_affected"
],
"required_evidence": [
"graph_hash",
"entrypoint_coverage>=95",
"negative_tests",
"config_hash"
],
"expiry_days": 90,
"reevaluate_on": [
"sbom_change",
"graph_change",
"runtime_change"
],
"rbac": [
"vex-author",
"policy-admin"
],
"policy_links": [
"docs/policy/dsl.md#requirevex"
],
"uncertainty_gate": "U1-low"
},
{
"id": "VEX2.component_not_present",
"title": "Component not present in runtime image",
"description": "SBOM and runtime inventory confirm the vulnerable component is absent from the shipped artifact.",
"applicability": [
"not_affected"
],
"required_evidence": [
"sbom_digest",
"runtime_inventory",
"config_hash"
],
"expiry_days": 60,
"reevaluate_on": [
"sbom_change",
"runtime_change"
],
"rbac": [
"vex-author"
],
"policy_links": [
"docs/modules/excititor/architecture.md#normalization"
],
"uncertainty_gate": "U1-low"
},
{
"id": "VEX3.config_not_vulnerable",
"title": "Configuration disables vulnerable feature",
"description": "Configuration and feature flags disable the vulnerable execution path; enforced by config/flag hashing and negative tests.",
"applicability": [
"not_affected"
],
"required_evidence": [
"config_hash",
"flags_hash",
"negative_tests"
],
"expiry_days": 45,
"reevaluate_on": [
"config_change",
"flags_change",
"runtime_change"
],
"rbac": [
"vex-author",
"release-manager"
],
"policy_links": [
"docs/benchmarks/vex-evidence-playbook.md"
],
"uncertainty_gate": "U2-medium"
},
{
"id": "VEX4.vulnerable_code_not_in_execute_path",
"title": "Code not reachable from declared entrypoints",
"description": "Reachability analysis shows no call paths from declared entrypoints to vulnerable functions; runtime probes corroborate.",
"applicability": [
"not_affected"
],
"required_evidence": [
"graph_hash",
"entrypoint_coverage>=95",
"runtime_traces"
],
"expiry_days": 45,
"reevaluate_on": [
"graph_change",
"runtime_change"
],
"rbac": [
"vex-author",
"signals-operator"
],
"policy_links": [
"docs/reachability/function-level-evidence.md"
],
"uncertainty_gate": "U1-low"
},
{
"id": "VEX5.mitigated_by_runtime_guard",
"title": "Runtime guard blocks exploitation",
"description": "Exploit is prevented by runtime guardrails (WAF/sandbox/feature flag) proven via negative test and telemetry.",
"applicability": [
"not_affected",
"affected"
],
"required_evidence": [
"runtime_traces",
"negative_tests",
"guard_policy"
],
"expiry_days": 30,
"reevaluate_on": [
"runtime_change",
"policy_change"
],
"rbac": [
"vex-author",
"security-ops"
],
"policy_links": [
"docs/uncertainty/README.md"
],
"uncertainty_gate": "U2-medium"
},
{
"id": "VEX6.compensating_control_documented",
"title": "Compensating control accepted",
"description": "A documented compensating control reduces exploitability; requires approval evidence and expiry.",
"applicability": [
"affected",
"under_investigation"
],
"required_evidence": [
"control_record",
"rbac_approval",
"expiry"
],
"expiry_days": 30,
"reevaluate_on": [
"policy_change",
"expiry"
],
"rbac": [
"policy-admin",
"risk-owner"
],
"policy_links": [
"docs/migration/exception-governance.md"
],
"uncertainty_gate": "U3-high"
},
{
"id": "VEX7.update_available",
"title": "Update available and staged",
"description": "Fix is available and staged for rollout; VEX documents status and planned activation window.",
"applicability": [
"affected",
"fixed"
],
"required_evidence": [
"fixed_version",
"staging_hash",
"rollout_window"
],
"expiry_days": 15,
"reevaluate_on": [
"rollout_change"
],
"rbac": [
"release-manager"
],
"policy_links": [
"docs/ui/advisories-and-vex.md"
],
"uncertainty_gate": "U2-medium"
},
{
"id": "VEX8.analysis_ongoing",
"title": "Analysis ongoing with SLA",
"description": "Investigation underway with defined SLA and evidence collection plan.",
"applicability": [
"under_investigation"
],
"required_evidence": [
"investigation_plan",
"sla_date",
"owner"
],
"expiry_days": 7,
"reevaluate_on": [
"sla_date"
],
"rbac": [
"vex-author"
],
"policy_links": [
"docs/modules/excititor/architecture.md#normalization"
],
"uncertainty_gate": "U3-high"
},
{
"id": "VEX9.eol_not_applicable",
"title": "Product out of scope / EOL",
"description": "Asset is out of scope or end-of-life and isolated; policy enforces quarantine rather than blanket ignore.",
"applicability": [
"not_affected"
],
"required_evidence": [
"asset_scope",
"quarantine_policy",
"rbac_approval"
],
"expiry_days": 30,
"reevaluate_on": [
"asset_change"
],
"rbac": [
"policy-admin"
],
"policy_links": [
"docs/observability/policy.md"
],
"uncertainty_gate": "U2-medium"
},
{
"id": "VEX10.false_positive_proven",
"title": "Scanner false positive disproven",
"description": "Deterministic reproduction shows the vulnerability is not actually present; includes counter-evidence and replay seed.",
"applicability": [
"not_affected"
],
"required_evidence": [
"replay_manifest",
"negative_tests",
"sbom_digest"
],
"expiry_days": 45,
"reevaluate_on": [
"scanner_update",
"sbom_change"
],
"rbac": [
"vex-author",
"qa"
],
"policy_links": [
"docs/replay/DETERMINISTIC_REPLAY.md"
],
"uncertainty_gate": "U1-low"
}
]
}