Add sample proof bundle configurations and verification script

- Introduced sample proof bundle configuration files for testing, including `sample-proof-bundle-config.dsse.json`, `sample-proof-bundle.dsse.json`, and `sample-proof-bundle.json`. - Implemented a verification script `test_verify_sample.sh` to validate proof bundles against specified schemas and catalogs. - Updated existing proof bundle configurations with new metadata, including versioning, created timestamps, and justification details. - Enhanced evidence entries with expiration dates and hashes for better integrity checks. - Ensured all new configurations adhere to the defined schema for consistency and reliability in testing.
2025-12-04 08:54:32 +02:00
parent e1262eb916
commit 4dc7cf834a
76 changed files with 3051 additions and 355 deletions
--- a/tests/Vex/ProofBundles/sample-proof-bundle.json
+++ b/tests/Vex/ProofBundles/sample-proof-bundle.json
@@ -0,0 +1,126 @@
+{
+  "id": "urn:stellaops:proofbundle:sample-hello-1",
+  "version": "1.0.0",
+  "created_at": "2025-12-04T00:00:00Z",
+  "created_by": "StellaOps QA Guild",
+  "graph": {
+    "hash": "blake3:74640754695e6e5cda4156a0ef1fd3a557d802ef118fef8afaed67089cd39cb1",
+    "dsse": {
+      "path": "tests/Vex/ProofBundles/cas/graph.json.dsse.json",
+      "sha256": "sha256:3bb1dc6af5c974635ed387fdf938f5a983c370d77d01a032aa63f5407efcfc7f",
+      "payload_sha256": "sha256:34d8051bb97bd3c034e6a2221474ce2faaaca59357721fa1b47df88a281d057b"
+    }
+  },
+  "openvex": {
+    "path": "tests/Vex/ProofBundles/openvex-sample.json",
+    "statement_id": "urn:stellaops:vex:statement:sample-hello-1",
+    "canonical_sha256": "sha256:94063a78cc1b0ce363941467c8e67e368c11de4d82625c2cf05cedd773257a3e",
+    "canonical_blake3": "blake3:03504f2b1c3b29870851baebc9e6658b76af2e92620767089cecb4c20072d84b",
+    "serialization": "canonical-json"
+  },
+  "justification": {
+    "id": "VEX1.vulnerable_code_not_present",
+    "dsse": {
+      "path": "docs/benchmarks/vex-justifications.catalog.dsse.json",
+      "sha256": "sha256:7df3cbd970bc851b51ce35ff1c61f927b62fe3514e5ff6313a5bad26d675b0c7"
+    }
+  },
+  "entrypoints": [
+    {
+      "id": "app://api/GET-/healthz",
+      "coverage_percent": 96.3,
+      "negative_tests": true,
+      "config_hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc",
+      "flags_hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53"
+    },
+    {
+      "id": "app://worker/queue/default",
+      "coverage_percent": 95.1,
+      "negative_tests": true,
+      "config_hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc",
+      "flags_hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53"
+    }
+  ],
+  "evidence": [
+    {
+      "type": "graph",
+      "cas_uri": "cas://graph.json",
+      "hash": "blake3:74640754695e6e5cda4156a0ef1fd3a557d802ef118fef8afaed67089cd39cb1",
+      "dsse": {
+        "path": "tests/Vex/ProofBundles/cas/graph.json.dsse.json",
+        "sha256": "sha256:3bb1dc6af5c974635ed387fdf938f5a983c370d77d01a032aa63f5407efcfc7f"
+      },
+      "expires_at": "2026-12-31T00:00:00Z"
+    },
+    {
+      "type": "coverage",
+      "cas_uri": "cas://coverage.json",
+      "hash": "sha256:422f9840d6facaae093d6496eeac472e10b19519854953454107c1b14945f510",
+      "dsse": {
+        "path": "tests/Vex/ProofBundles/cas/coverage.json.dsse.json",
+        "sha256": "sha256:606864d2165b9ddfea664dca36318616e5ea575e2e96e7fa2bc204cc3f79fe2f"
+      },
+      "expires_at": "2026-06-30T00:00:00Z"
+    },
+    {
+      "type": "runtime_trace",
+      "cas_uri": "cas://runtime-trace.ndjson",
+      "hash": "sha256:c0a91f645b899e4572ec24603916cdfe982934f47ebdaec2ef67ee9303568a77",
+      "expires_at": "2026-06-30T00:00:00Z"
+    },
+    {
+      "type": "negative_test",
+      "cas_uri": "cas://negative-tests.ndjson",
+      "hash": "sha256:09efda057796b8f0f0fa001505d9e684cf04e05ac8e3c6fe24476a367bb78aaa",
+      "expires_at": "2026-06-30T00:00:00Z"
+    },
+    {
+      "type": "config",
+      "cas_uri": "cas://config.lock",
+      "hash": "sha256:bb490ce4cde60768e2b61571bbe448290e4256d2d930adea0ee24c07e5c63dbc",
+      "expires_at": "2026-03-31T00:00:00Z"
+    },
+    {
+      "type": "flags",
+      "cas_uri": "cas://flags.json",
+      "hash": "sha256:d060ab8cdf75aeda6363bcc6de495e27b53c9d5938d97f5492e864681d8cbe53",
+      "expires_at": "2026-03-31T00:00:00Z"
+    }
+  ],
+  "reevaluation": {
+    "on_sbom_change": true,
+    "on_graph_change": true,
+    "on_runtime_change": true,
+    "ttl_days": 30
+  },
+  "rbac": {
+    "roles_allowed": [
+      "vex-author",
+      "policy-admin"
+    ],
+    "approvals_required": 2,
+    "enforcement": "policy+signer"
+  },
+  "uncertainty": {
+    "state": "U1-low",
+    "entropy": 0.08,
+    "notes": "Coverage >95% and negative tests clean; runtime probes match reachability graph."
+  },
+  "policy": {
+    "decision": "not_affected",
+    "decision_reason": "vulnerable_code_not_present",
+    "openvex_serialization": "canonical-json",
+    "canonical_encoding": "JCS"
+  },
+  "signatures": [
+    {
+      "type": "dsse",
+      "key_id": "demo-root",
+      "sig": "C3miJFhDRdNTxnBJSXSKeiilqTaF44poXV3GHAjfVxQ=",
+      "envelope_digest": "sha256:cacd00d318a3f0b3f579f57322619f99e772cced0c2a7bf14a684c6ce55da7b4",
+      "rekor_log_id": "demo-log",
+      "rekor_entry_uuid": "demo-entry-0001",
+      "transparency_checkpoint": "checkpoint-demo"
+    }
+  ]
+}