feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
--- a/docs/attestor/schemas/calibration-manifest.schema.json
+++ b/docs/attestor/schemas/calibration-manifest.schema.json
@@ -0,0 +1,169 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stella-ops.org/schemas/calibration-manifest/1.0.0",
+  "title": "Calibration Manifest",
+  "description": "Record of trust vector calibration based on post-mortem truth comparison",
+  "type": "object",
+  "required": ["manifestId", "sourceId", "epochNumber", "calibratedAt"],
+  "properties": {
+    "manifestId": {
+      "type": "string",
+      "description": "Unique identifier for this calibration record"
+    },
+    "sourceId": {
+      "type": "string",
+      "description": "VEX source being calibrated"
+    },
+    "tenant": {
+      "type": "string",
+      "description": "Tenant scope (optional for global calibration)"
+    },
+    "epochNumber": {
+      "type": "integer",
+      "description": "Calibration epoch number",
+      "minimum": 1
+    },
+    "previousVector": {
+      "$ref": "#/$defs/TrustVectorValues"
+    },
+    "calibratedVector": {
+      "$ref": "#/$defs/TrustVectorValues"
+    },
+    "delta": {
+      "$ref": "#/$defs/CalibrationDelta"
+    },
+    "comparison": {
+      "$ref": "#/$defs/ComparisonResult"
+    },
+    "detectedBias": {
+      "type": "string",
+      "description": "Detected bias type, if any",
+      "enum": ["optimistic_bias", "pessimistic_bias", "scope_bias", "none"]
+    },
+    "configuration": {
+      "$ref": "#/$defs/CalibrationConfiguration"
+    },
+    "calibratedAt": {
+      "type": "string",
+      "description": "When calibration was performed",
+      "format": "date-time"
+    },
+    "manifestDigest": {
+      "type": "string",
+      "description": "SHA256 digest of this manifest",
+      "pattern": "^sha256:[a-f0-9]{64}$"
+    }
+  },
+  "$defs": {
+    "TrustVectorValues": {
+      "type": "object",
+      "description": "Trust vector component values",
+      "required": ["provenance", "coverage", "replayability"],
+      "properties": {
+        "provenance": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "coverage": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "replayability": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        }
+      }
+    },
+    "CalibrationDelta": {
+      "type": "object",
+      "description": "Adjustment applied to trust vector",
+      "properties": {
+        "deltaP": {
+          "type": "number",
+          "description": "Change in provenance score"
+        },
+        "deltaC": {
+          "type": "number",
+          "description": "Change in coverage score"
+        },
+        "deltaR": {
+          "type": "number",
+          "description": "Change in replayability score"
+        }
+      }
+    },
+    "ComparisonResult": {
+      "type": "object",
+      "description": "Result of comparing claims to post-mortem truth",
+      "required": ["sourceId", "accuracy"],
+      "properties": {
+        "sourceId": {
+          "type": "string"
+        },
+        "accuracy": {
+          "type": "number",
+          "description": "Accuracy score (0-1)",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "totalClaims": {
+          "type": "integer",
+          "description": "Total claims evaluated",
+          "minimum": 0
+        },
+        "correctClaims": {
+          "type": "integer",
+          "description": "Claims matching post-mortem truth",
+          "minimum": 0
+        },
+        "evaluationPeriodStart": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "evaluationPeriodEnd": {
+          "type": "string",
+          "format": "date-time"
+        }
+      }
+    },
+    "CalibrationConfiguration": {
+      "type": "object",
+      "description": "Configuration used for calibration",
+      "properties": {
+        "learningRate": {
+          "type": "number",
+          "description": "Learning rate per epoch",
+          "default": 0.02
+        },
+        "maxAdjustmentPerEpoch": {
+          "type": "number",
+          "description": "Maximum adjustment per epoch",
+          "default": 0.05
+        },
+        "minValue": {
+          "type": "number",
+          "description": "Minimum trust component value",
+          "default": 0.10
+        },
+        "maxValue": {
+          "type": "number",
+          "description": "Maximum trust component value",
+          "default": 1.00
+        },
+        "momentumFactor": {
+          "type": "number",
+          "description": "Momentum factor for smoothing",
+          "default": 0.9
+        },
+        "accuracyThreshold": {
+          "type": "number",
+          "description": "Threshold above which no calibration is needed",
+          "default": 0.95
+        }
+      }
+    }
+  }
+}
--- a/docs/attestor/schemas/claim-score.schema.json
+++ b/docs/attestor/schemas/claim-score.schema.json
@@ -0,0 +1,137 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stella-ops.org/schemas/claim-score/1.0.0",
+  "title": "Claim Score",
+  "description": "VEX claim scoring result using the trust lattice formula: ClaimScore = BaseTrust * M * F",
+  "type": "object",
+  "required": ["sourceId", "status", "claimScore"],
+  "properties": {
+    "sourceId": {
+      "type": "string",
+      "description": "Identifier of the VEX source"
+    },
+    "status": {
+      "type": "string",
+      "description": "VEX status claimed",
+      "enum": ["affected", "not_affected", "fixed", "under_investigation"]
+    },
+    "trustVector": {
+      "$ref": "#/$defs/TrustVectorScores"
+    },
+    "baseTrust": {
+      "type": "number",
+      "description": "Computed base trust from trust vector",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "claimStrength": {
+      "$ref": "#/$defs/ClaimStrength"
+    },
+    "strengthMultiplier": {
+      "type": "number",
+      "description": "Strength multiplier (M) based on evidence quality",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "freshnessMultiplier": {
+      "type": "number",
+      "description": "Freshness decay multiplier (F)",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "freshnessDetails": {
+      "$ref": "#/$defs/FreshnessDetails"
+    },
+    "claimScore": {
+      "type": "number",
+      "description": "Final claim score = BaseTrust * M * F",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "scopeSpecificity": {
+      "type": "integer",
+      "description": "Scope specificity level (higher = more specific)",
+      "minimum": 0
+    },
+    "issuedAt": {
+      "type": "string",
+      "description": "When the VEX claim was issued",
+      "format": "date-time"
+    },
+    "evaluatedAt": {
+      "type": "string",
+      "description": "When the score was computed",
+      "format": "date-time"
+    }
+  },
+  "$defs": {
+    "TrustVectorScores": {
+      "type": "object",
+      "description": "Trust vector component scores",
+      "properties": {
+        "provenance": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "coverage": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "replayability": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        }
+      }
+    },
+    "ClaimStrength": {
+      "type": "object",
+      "description": "Claim strength evidence classification",
+      "properties": {
+        "level": {
+          "type": "string",
+          "description": "Strength level",
+          "enum": [
+            "exploitability_with_reachability",
+            "config_with_evidence",
+            "vendor_blanket",
+            "under_investigation"
+          ]
+        },
+        "multiplier": {
+          "type": "number",
+          "description": "Corresponding multiplier value",
+          "enum": [1.00, 0.80, 0.60, 0.40]
+        }
+      }
+    },
+    "FreshnessDetails": {
+      "type": "object",
+      "description": "Freshness decay calculation details",
+      "properties": {
+        "ageDays": {
+          "type": "number",
+          "description": "Age of the claim in days"
+        },
+        "halfLifeDays": {
+          "type": "number",
+          "description": "Half-life used for decay calculation",
+          "default": 90
+        },
+        "floor": {
+          "type": "number",
+          "description": "Minimum freshness value",
+          "default": 0.35
+        },
+        "decayValue": {
+          "type": "number",
+          "description": "Computed decay value before floor application",
+          "minimum": 0,
+          "maximum": 1
+        }
+      }
+    }
+  }
+}
--- a/docs/attestor/schemas/trust-vector.schema.json
+++ b/docs/attestor/schemas/trust-vector.schema.json
@@ -0,0 +1,84 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stella-ops.org/schemas/trust-vector/1.0.0",
+  "title": "Trust Vector",
+  "description": "3-component trust vector for VEX sources (Provenance, Coverage, Replayability)",
+  "type": "object",
+  "required": ["provenance", "coverage", "replayability"],
+  "properties": {
+    "sourceId": {
+      "type": "string",
+      "description": "Identifier of the VEX source"
+    },
+    "sourceClass": {
+      "type": "string",
+      "description": "Classification of the source",
+      "enum": ["vendor", "distro", "internal", "hub", "attestation"]
+    },
+    "provenance": {
+      "type": "number",
+      "description": "Cryptographic and process integrity score [0..1]",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "coverage": {
+      "type": "number",
+      "description": "Scope match precision score [0..1]",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "replayability": {
+      "type": "number",
+      "description": "Determinism and input pinning score [0..1]",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "weights": {
+      "$ref": "#/$defs/TrustWeights"
+    },
+    "baseTrust": {
+      "type": "number",
+      "description": "Computed base trust: wP*P + wC*C + wR*R",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "computedAt": {
+      "type": "string",
+      "description": "Timestamp when this vector was computed",
+      "format": "date-time"
+    },
+    "version": {
+      "type": "string",
+      "description": "Version of the trust vector configuration"
+    }
+  },
+  "$defs": {
+    "TrustWeights": {
+      "type": "object",
+      "description": "Weights for trust vector components",
+      "properties": {
+        "provenance": {
+          "type": "number",
+          "description": "Weight for provenance component (wP)",
+          "minimum": 0,
+          "maximum": 1,
+          "default": 0.45
+        },
+        "coverage": {
+          "type": "number",
+          "description": "Weight for coverage component (wC)",
+          "minimum": 0,
+          "maximum": 1,
+          "default": 0.35
+        },
+        "replayability": {
+          "type": "number",
+          "description": "Weight for replayability component (wR)",
+          "minimum": 0,
+          "maximum": 1,
+          "default": 0.20
+        }
+      }
+    }
+  }
+}
--- a/docs/attestor/schemas/verdict-manifest.schema.json
+++ b/docs/attestor/schemas/verdict-manifest.schema.json
@@ -0,0 +1,194 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stella-ops.org/schemas/verdict-manifest/1.0.0",
+  "title": "Verdict Manifest",
+  "description": "A signed, immutable record of a VEX decisioning outcome that enables deterministic replay and audit compliance.",
+  "type": "object",
+  "required": [
+    "manifestId",
+    "tenant",
+    "assetDigest",
+    "vulnerabilityId",
+    "inputs",
+    "result",
+    "policyHash",
+    "latticeVersion",
+    "evaluatedAt",
+    "manifestDigest"
+  ],
+  "properties": {
+    "manifestId": {
+      "type": "string",
+      "description": "Unique identifier in format: verd:{tenant}:{asset_short}:{vuln_id}:{timestamp}",
+      "pattern": "^verd:[a-z0-9-]+:[a-f0-9]+:[A-Z0-9-]+:[0-9]+$"
+    },
+    "tenant": {
+      "type": "string",
+      "description": "Tenant identifier for multi-tenancy",
+      "minLength": 1
+    },
+    "assetDigest": {
+      "type": "string",
+      "description": "SHA256 digest of the asset/SBOM",
+      "pattern": "^sha256:[a-f0-9]{64}$"
+    },
+    "vulnerabilityId": {
+      "type": "string",
+      "description": "CVE, GHSA, or vendor vulnerability identifier",
+      "minLength": 1
+    },
+    "inputs": {
+      "$ref": "#/$defs/VerdictInputs"
+    },
+    "result": {
+      "$ref": "#/$defs/VerdictResult"
+    },
+    "policyHash": {
+      "type": "string",
+      "description": "SHA256 hash of the policy configuration",
+      "pattern": "^sha256:[a-f0-9]{64}$"
+    },
+    "latticeVersion": {
+      "type": "string",
+      "description": "Semantic version of the trust lattice algorithm",
+      "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$"
+    },
+    "evaluatedAt": {
+      "type": "string",
+      "description": "ISO 8601 UTC timestamp of evaluation",
+      "format": "date-time"
+    },
+    "manifestDigest": {
+      "type": "string",
+      "description": "SHA256 digest of the canonical manifest (excluding this field)",
+      "pattern": "^sha256:[a-f0-9]{64}$"
+    }
+  },
+  "$defs": {
+    "VerdictInputs": {
+      "type": "object",
+      "description": "All inputs pinned for deterministic replay",
+      "required": ["sbomDigests", "vulnFeedSnapshotIds", "vexDocumentDigests", "clockCutoff"],
+      "properties": {
+        "sbomDigests": {
+          "type": "array",
+          "description": "SHA256 digests of SBOM documents used",
+          "items": {
+            "type": "string",
+            "pattern": "^sha256:[a-f0-9]{64}$"
+          }
+        },
+        "vulnFeedSnapshotIds": {
+          "type": "array",
+          "description": "Identifiers for vulnerability feed snapshots",
+          "items": {
+            "type": "string"
+          }
+        },
+        "vexDocumentDigests": {
+          "type": "array",
+          "description": "SHA256 digests of VEX documents considered",
+          "items": {
+            "type": "string",
+            "pattern": "^sha256:[a-f0-9]{64}$"
+          }
+        },
+        "reachabilityGraphIds": {
+          "type": "array",
+          "description": "Identifiers for call graph snapshots",
+          "items": {
+            "type": "string"
+          }
+        },
+        "clockCutoff": {
+          "type": "string",
+          "description": "Timestamp used for freshness calculations",
+          "format": "date-time"
+        }
+      }
+    },
+    "VerdictResult": {
+      "type": "object",
+      "description": "The verdict and explanation",
+      "required": ["status", "confidence", "explanations"],
+      "properties": {
+        "status": {
+          "type": "string",
+          "description": "Final verdict status",
+          "enum": ["affected", "not_affected", "fixed", "under_investigation"]
+        },
+        "confidence": {
+          "type": "number",
+          "description": "Numeric confidence score",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "explanations": {
+          "type": "array",
+          "description": "Per-source breakdown of scoring",
+          "items": {
+            "$ref": "#/$defs/VerdictExplanation"
+          }
+        },
+        "evidenceRefs": {
+          "type": "array",
+          "description": "Links to attestations and proof bundles",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "VerdictExplanation": {
+      "type": "object",
+      "description": "Explanation of how a source contributed to the verdict",
+      "required": ["sourceId", "reason", "claimScore"],
+      "properties": {
+        "sourceId": {
+          "type": "string",
+          "description": "Identifier of the VEX source"
+        },
+        "reason": {
+          "type": "string",
+          "description": "Human-readable explanation"
+        },
+        "provenanceScore": {
+          "type": "number",
+          "description": "Provenance component of trust vector",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "coverageScore": {
+          "type": "number",
+          "description": "Coverage component of trust vector",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "replayabilityScore": {
+          "type": "number",
+          "description": "Replayability component of trust vector",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "strengthMultiplier": {
+          "type": "number",
+          "description": "Claim strength multiplier (M)",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "freshnessMultiplier": {
+          "type": "number",
+          "description": "Freshness decay multiplier (F)",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "claimScore": {
+          "type": "number",
+          "description": "Final claim score = BaseTrust * M * F",
+          "minimum": 0,
+          "maximum": 1
+        }
+      }
+    }
+  }
+}