Add sample proof bundle configurations and verification script

- Introduced sample proof bundle configuration files for testing, including `sample-proof-bundle-config.dsse.json`, `sample-proof-bundle.dsse.json`, and `sample-proof-bundle.json`. - Implemented a verification script `test_verify_sample.sh` to validate proof bundles against specified schemas and catalogs. - Updated existing proof bundle configurations with new metadata, including versioning, created timestamps, and justification details. - Enhanced evidence entries with expiration dates and hashes for better integrity checks. - Ensured all new configurations adhere to the defined schema for consistency and reliability in testing.
2025-12-04 08:54:32 +02:00
parent e1262eb916
commit 4dc7cf834a
76 changed files with 3051 additions and 355 deletions
--- a/tests/Vex/ProofBundles/sample-proof-bundle-config.json
+++ b/tests/Vex/ProofBundles/sample-proof-bundle-config.json
@@ -0,0 +1,126 @@
+{
+  "id": "urn:stellaops:proofbundle:config-guard-1",
+  "version": "1.0.0",
+  "created_at": "2025-12-04T00:00:00Z",
+  "created_by": "StellaOps Policy Guild",
+  "graph": {
+    "hash": "blake3:74640754695e6e5cda4156a0ef1fd3a557d802ef118fef8afaed67089cd39cb1",
+    "dsse": {
+      "path": "tests/Vex/ProofBundles/cas/graph.json.dsse.json",
+      "sha256": "sha256:3bb1dc6af5c974635ed387fdf938f5a983c370d77d01a032aa63f5407efcfc7f",
+      "payload_sha256": "sha256:34d8051bb97bd3c034e6a2221474ce2faaaca59357721fa1b47df88a281d057b"
+    }
+  },
+  "openvex": {
+    "path": "tests/Vex/ProofBundles/openvex-config.json",
+    "statement_id": "urn:stellaops:vex:statement:config-guard-1",
+    "canonical_sha256": "sha256:0a3fa66fdd50ef88a1b34ae6776045a8e9a4317720d7d875535d916fbb7f81b9",
+    "canonical_blake3": "blake3:72048e489468656312ecac497da8daea731804a530f01d19bb393fef7274c736",
+    "serialization": "canonical-json"
+  },
+  "justification": {
+    "id": "VEX3.config_not_vulnerable",
+    "dsse": {
+      "path": "docs/benchmarks/vex-justifications.catalog.dsse.json",
+      "sha256": "sha256:7df3cbd970bc851b51ce35ff1c61f927b62fe3514e5ff6313a5bad26d675b0c7"
+    }
+  },
+  "entrypoints": [
+    {
+      "id": "app://api/GET-/healthz",
+      "coverage_percent": 97.4,
+      "negative_tests": true,
+      "config_hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc",
+      "flags_hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53"
+    },
+    {
+      "id": "app://worker/queue/default",
+      "coverage_percent": 97.1,
+      "negative_tests": true,
+      "config_hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc",
+      "flags_hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53"
+    }
+  ],
+  "evidence": [
+    {
+      "type": "graph",
+      "cas_uri": "cas://graph.json",
+      "hash": "blake3:74640754695e6e5cda4156a0ef1fd3a557d802ef118fef8afaed67089cd39cb1",
+      "dsse": {
+        "path": "tests/Vex/ProofBundles/cas/graph.json.dsse.json",
+        "sha256": "sha256:3bb1dc6af5c974635ed387fdf938f5a983c370d77d01a032aa63f5407efcfc7f"
+      },
+      "expires_at": "2026-12-31T00:00:00Z"
+    },
+    {
+      "type": "coverage",
+      "cas_uri": "cas://coverage.json",
+      "hash": "sha256:422f9840d6facaae093d6496eeac472e10b19519854953454107c1b14945f510",
+      "dsse": {
+        "path": "tests/Vex/ProofBundles/cas/coverage.json.dsse.json",
+        "sha256": "sha256:606864d2165b9ddfea664dca36318616e5ea575e2e96e7fa2bc204cc3f79fe2f"
+      },
+      "expires_at": "2026-06-30T00:00:00Z"
+    },
+    {
+      "type": "runtime_trace",
+      "cas_uri": "cas://runtime-trace.ndjson",
+      "hash": "sha256:c0a91f645b899e4572ec24603916cdfe982934f47ebdaec2ef67ee9303568a77",
+      "expires_at": "2026-06-30T00:00:00Z"
+    },
+    {
+      "type": "negative_test",
+      "cas_uri": "cas://negative-tests.ndjson",
+      "hash": "sha256:09efda057796b8f0f0fa001505d9e684cf04e05ac8e3c6fe24476a367bb78aaa",
+      "expires_at": "2026-06-30T00:00:00Z"
+    },
+    {
+      "type": "config",
+      "cas_uri": "cas://config.lock",
+      "hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc",
+      "expires_at": "2026-03-31T00:00:00Z"
+    },
+    {
+      "type": "flags",
+      "cas_uri": "cas://flags.json",
+      "hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53",
+      "expires_at": "2026-03-31T00:00:00Z"
+    }
+  ],
+  "reevaluation": {
+    "on_sbom_change": true,
+    "on_graph_change": true,
+    "on_runtime_change": true,
+    "ttl_days": 30
+  },
+  "rbac": {
+    "roles_allowed": [
+      "vex-author",
+      "policy-admin"
+    ],
+    "approvals_required": 2,
+    "enforcement": "policy+signer"
+  },
+  "uncertainty": {
+    "state": "U2-medium",
+    "entropy": 0.17,
+    "notes": "Config gating + negative tests; coverage >97%."
+  },
+  "policy": {
+    "decision": "not_affected",
+    "decision_reason": "config_not_vulnerable",
+    "openvex_serialization": "canonical-json",
+    "canonical_encoding": "JCS"
+  },
+  "signatures": [
+    {
+      "type": "dsse",
+      "key_id": "demo-root",
+      "sig": "C3miJFhDRdNTxnBJSXSKeiilqTaF44poXV3GHAjfVxQ=",
+      "envelope_digest": "sha256:ea551c28a3b463f6e510e19674da9051e2e02d5dfd1507697750cc3def649667",
+      "rekor_log_id": "demo-log",
+      "rekor_entry_uuid": "demo-entry-0002",
+      "transparency_checkpoint": "checkpoint-config"
+    }
+  ]
+}