Add sample proof bundle configurations and verification script

- Introduced sample proof bundle configuration files for testing, including `sample-proof-bundle-config.dsse.json`, `sample-proof-bundle.dsse.json`, and `sample-proof-bundle.json`.
- Implemented a verification script `test_verify_sample.sh` to validate proof bundles against specified schemas and catalogs.
- Updated existing proof bundle configurations with new metadata, including versioning, created timestamps, and justification details.
- Enhanced evidence entries with expiration dates and hashes for better integrity checks.
- Ensured all new configurations adhere to the defined schema for consistency and reliability in testing.

docs/benchmarks/vex-justifications.catalog.json

@@ -0,0 +1,265 @@
+{
+  "version": "1.0.0",
+  "generated_at": "2025-12-04T00:00:00Z",
+  "entries": [
+    {
+      "id": "VEX1.vulnerable_code_not_present",
+      "title": "Vulnerable code removed or not shipped",
+      "description": "Binary artifacts do not contain the vulnerable code paths; validated via reachability graph and reproducible build metadata.",
+      "applicability": [
+        "not_affected"
+      ],
+      "required_evidence": [
+        "graph_hash",
+        "entrypoint_coverage>=95",
+        "negative_tests",
+        "config_hash"
+      ],
+      "expiry_days": 90,
+      "reevaluate_on": [
+        "sbom_change",
+        "graph_change",
+        "runtime_change"
+      ],
+      "rbac": [
+        "vex-author",
+        "policy-admin"
+      ],
+      "policy_links": [
+        "docs/policy/dsl.md#requirevex"
+      ],
+      "uncertainty_gate": "U1-low"
+    },
+    {
+      "id": "VEX2.component_not_present",
+      "title": "Component not present in runtime image",
+      "description": "SBOM and runtime inventory confirm the vulnerable component is absent from the shipped artifact.",
+      "applicability": [
+        "not_affected"
+      ],
+      "required_evidence": [
+        "sbom_digest",
+        "runtime_inventory",
+        "config_hash"
+      ],
+      "expiry_days": 60,
+      "reevaluate_on": [
+        "sbom_change",
+        "runtime_change"
+      ],
+      "rbac": [
+        "vex-author"
+      ],
+      "policy_links": [
+        "docs/modules/excititor/architecture.md#normalization"
+      ],
+      "uncertainty_gate": "U1-low"
+    },
+    {
+      "id": "VEX3.config_not_vulnerable",
+      "title": "Configuration disables vulnerable feature",
+      "description": "Configuration and feature flags disable the vulnerable execution path; enforced by config/flag hashing and negative tests.",
+      "applicability": [
+        "not_affected"
+      ],
+      "required_evidence": [
+        "config_hash",
+        "flags_hash",
+        "negative_tests"
+      ],
+      "expiry_days": 45,
+      "reevaluate_on": [
+        "config_change",
+        "flags_change",
+        "runtime_change"
+      ],
+      "rbac": [
+        "vex-author",
+        "release-manager"
+      ],
+      "policy_links": [
+        "docs/benchmarks/vex-evidence-playbook.md"
+      ],
+      "uncertainty_gate": "U2-medium"
+    },
+    {
+      "id": "VEX4.vulnerable_code_not_in_execute_path",
+      "title": "Code not reachable from declared entrypoints",
+      "description": "Reachability analysis shows no call paths from declared entrypoints to vulnerable functions; runtime probes corroborate.",
+      "applicability": [
+        "not_affected"
+      ],
+      "required_evidence": [
+        "graph_hash",
+        "entrypoint_coverage>=95",
+        "runtime_traces"
+      ],
+      "expiry_days": 45,
+      "reevaluate_on": [
+        "graph_change",
+        "runtime_change"
+      ],
+      "rbac": [
+        "vex-author",
+        "signals-operator"
+      ],
+      "policy_links": [
+        "docs/reachability/function-level-evidence.md"
+      ],
+      "uncertainty_gate": "U1-low"
+    },
+    {
+      "id": "VEX5.mitigated_by_runtime_guard",
+      "title": "Runtime guard blocks exploitation",
+      "description": "Exploit is prevented by runtime guardrails (WAF/sandbox/feature flag) proven via negative test and telemetry.",
+      "applicability": [
+        "not_affected",
+        "affected"
+      ],
+      "required_evidence": [
+        "runtime_traces",
+        "negative_tests",
+        "guard_policy"
+      ],
+      "expiry_days": 30,
+      "reevaluate_on": [
+        "runtime_change",
+        "policy_change"
+      ],
+      "rbac": [
+        "vex-author",
+        "security-ops"
+      ],
+      "policy_links": [
+        "docs/uncertainty/README.md"
+      ],
+      "uncertainty_gate": "U2-medium"
+    },
+    {
+      "id": "VEX6.compensating_control_documented",
+      "title": "Compensating control accepted",
+      "description": "A documented compensating control reduces exploitability; requires approval evidence and expiry.",
+      "applicability": [
+        "affected",
+        "under_investigation"
+      ],
+      "required_evidence": [
+        "control_record",
+        "rbac_approval",
+        "expiry"
+      ],
+      "expiry_days": 30,
+      "reevaluate_on": [
+        "policy_change",
+        "expiry"
+      ],
+      "rbac": [
+        "policy-admin",
+        "risk-owner"
+      ],
+      "policy_links": [
+        "docs/migration/exception-governance.md"
+      ],
+      "uncertainty_gate": "U3-high"
+    },
+    {
+      "id": "VEX7.update_available",
+      "title": "Update available and staged",
+      "description": "Fix is available and staged for rollout; VEX documents status and planned activation window.",
+      "applicability": [
+        "affected",
+        "fixed"
+      ],
+      "required_evidence": [
+        "fixed_version",
+        "staging_hash",
+        "rollout_window"
+      ],
+      "expiry_days": 15,
+      "reevaluate_on": [
+        "rollout_change"
+      ],
+      "rbac": [
+        "release-manager"
+      ],
+      "policy_links": [
+        "docs/ui/advisories-and-vex.md"
+      ],
+      "uncertainty_gate": "U2-medium"
+    },
+    {
+      "id": "VEX8.analysis_ongoing",
+      "title": "Analysis ongoing with SLA",
+      "description": "Investigation underway with defined SLA and evidence collection plan.",
+      "applicability": [
+        "under_investigation"
+      ],
+      "required_evidence": [
+        "investigation_plan",
+        "sla_date",
+        "owner"
+      ],
+      "expiry_days": 7,
+      "reevaluate_on": [
+        "sla_date"
+      ],
+      "rbac": [
+        "vex-author"
+      ],
+      "policy_links": [
+        "docs/modules/excititor/architecture.md#normalization"
+      ],
+      "uncertainty_gate": "U3-high"
+    },
+    {
+      "id": "VEX9.eol_not_applicable",
+      "title": "Product out of scope / EOL",
+      "description": "Asset is out of scope or end-of-life and isolated; policy enforces quarantine rather than blanket ignore.",
+      "applicability": [
+        "not_affected"
+      ],
+      "required_evidence": [
+        "asset_scope",
+        "quarantine_policy",
+        "rbac_approval"
+      ],
+      "expiry_days": 30,
+      "reevaluate_on": [
+        "asset_change"
+      ],
+      "rbac": [
+        "policy-admin"
+      ],
+      "policy_links": [
+        "docs/observability/policy.md"
+      ],
+      "uncertainty_gate": "U2-medium"
+    },
+    {
+      "id": "VEX10.false_positive_proven",
+      "title": "Scanner false positive disproven",
+      "description": "Deterministic reproduction shows the vulnerability is not actually present; includes counter-evidence and replay seed.",
+      "applicability": [
+        "not_affected"
+      ],
+      "required_evidence": [
+        "replay_manifest",
+        "negative_tests",
+        "sbom_digest"
+      ],
+      "expiry_days": 45,
+      "reevaluate_on": [
+        "scanner_update",
+        "sbom_change"
+      ],
+      "rbac": [
+        "vex-author",
+        "qa"
+      ],
+      "policy_links": [
+        "docs/replay/DETERMINISTIC_REPLAY.md"
+      ],
+      "uncertainty_gate": "U1-low"
+    }
+  ]
+}