Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
This commit is contained in:
master
@@ -98,23 +98,58 @@ C --> J[Blob Store: Input/Output Bundles]
|
||||
],
|
||||
"trustProfile": "sha256:..."
|
||||
},
|
||||
"outputs": {
|
||||
"sbomHash": "sha256:...",
|
||||
"findingsHash": "sha256:...",
|
||||
"vexHash": "sha256:...",
|
||||
"logHash": "sha256:..."
|
||||
},
|
||||
"provenance": {
|
||||
"signer": "scanner.authority",
|
||||
"dsseEnvelopeHash": "sha256:...",
|
||||
"rekorEntry": "optional"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## 4. Deterministic Execution Rules
|
||||
"outputs": {
|
||||
"sbomHash": "sha256:...",
|
||||
"findingsHash": "sha256:...",
|
||||
"vexHash": "sha256:...",
|
||||
"logHash": "sha256:..."
|
||||
},
|
||||
"reachability": {
|
||||
"graphs": [
|
||||
{
|
||||
"kind": "static",
|
||||
"analyzer": "scanner/java@sha256:...",
|
||||
"casUri": "cas://replay/scan-123/reachability/static-graph.tar.zst",
|
||||
"sha256": "abc123"
|
||||
},
|
||||
{
|
||||
"kind": "framework",
|
||||
"analyzer": "scanner/framework@sha256:...",
|
||||
"casUri": "cas://replay/scan-123/reachability/framework-graph.tar.zst",
|
||||
"sha256": "def456"
|
||||
}
|
||||
],
|
||||
"runtimeTraces": [
|
||||
{
|
||||
"source": "zastava",
|
||||
"casUri": "cas://replay/scan-123/reachability/runtime-trace.ndjson.zst",
|
||||
"sha256": "feedface",
|
||||
"recordedAt": "2025-11-07T11:10:00Z"
|
||||
}
|
||||
]
|
||||
},
|
||||
"provenance": {
|
||||
"signer": "scanner.authority",
|
||||
"dsseEnvelopeHash": "sha256:...",
|
||||
"rekorEntry": "optional"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### 3.2 Reachability Section
|
||||
|
||||
The optional `reachability` block captures the inputs needed to replay explainability decisions:
|
||||
|
||||
| Field | Description |
|
||||
|-------|-------------|
|
||||
| `reachability.graphs[]` | References to static/framework callgraph bundles. Each entry records the producing analyzer (`analyzer`/`version`), the CAS URI under `cas://replay/<scan-id>/reachability/graphs/`, and the SHA-256 digest of the tarball. |
|
||||
| `reachability.runtimeTraces[]` | References to runtime observation bundles (e.g., Zastava ND-JSON traces). Each item stores the emitting source, CAS URI (typically `cas://replay/<scan-id>/reachability/traces/`), SHA-256, and capture timestamp. |
|
||||
|
||||
Replay engines MUST verify every referenced artifact hash before re-evaluating reachability. Missing graphs downgrade affected signals to `reachability:unknown` and should raise policy warnings.
|
||||
|
||||
---
|
||||
|
||||
## 4. Deterministic Execution Rules
|
||||
|
||||
### 4.1 Environment Normalization
|
||||
|
||||
|
||||
@@ -30,10 +30,11 @@ Replay is the foundation for:
|
||||
| **Subject** | OCI image digest, per-layer Merkle roots | ✅ |
|
||||
| **Outputs** | SBOM, Findings, VEX, logs (content hashes) | ✅ |
|
||||
| **Toolchain** | Sbomer, Scanner, Vexer binaries + versions + SHA256 | ✅ |
|
||||
| **Feeds/VEX sources** | Full or pruned snapshot with Merkle proofs | ✅ |
|
||||
| **Policy Bundle** | Lattice rules, mutes, trust profiles, thresholds | ✅ |
|
||||
| **Environment** | OS, arch, locale, TZ, deterministic seed, runtime flags | ✅ |
|
||||
| **Crypto Profile** | Algorithm suites (FIPS, GOST, SM, eIDAS) | ✅ |
|
||||
| **Feeds/VEX sources** | Full or pruned snapshot with Merkle proofs | ✅ |
|
||||
| **Policy Bundle** | Lattice rules, mutes, trust profiles, thresholds | ✅ |
|
||||
| **Environment** | OS, arch, locale, TZ, deterministic seed, runtime flags | ✅ |
|
||||
| **Reachability Evidence** | Callgraphs (`graphs[]`), runtime traces (`runtimeTraces[]`), analyzer/version hashes | ✅ |
|
||||
| **Crypto Profile** | Algorithm suites (FIPS, GOST, SM, eIDAS) | ✅ |
|
||||
|
||||
---
|
||||
|
||||
@@ -69,8 +70,9 @@ stella replay manifest.json --what-if --vary=feeds
|
||||
|
||||
## Workflow
|
||||
|
||||
1. `stella scan image:tag --record out/`
|
||||
- Generates Replay Manifest, InputBundle, OutputBundle, DSSE sigs.
|
||||
1. `stella scan image:tag --record out/`
|
||||
- Generates Replay Manifest, InputBundle, OutputBundle, DSSE sigs.
|
||||
- Captures reachability graphs/traces (if enabled) and references them via `reachability.graphs[]` + `runtimeTraces[]`.
|
||||
2. `stella verify manifest.json`
|
||||
- Validates hashes, signatures, and completeness.
|
||||
3. `stella replay manifest.json --strict`
|
||||
@@ -82,14 +84,15 @@ stella replay manifest.json --what-if --vary=feeds
|
||||
|
||||
---
|
||||
|
||||
## Storage
|
||||
|
||||
- **Mongo collections**
|
||||
- `replay_runs`: manifest + DSSE envelopes + status
|
||||
- `bundles`: content-addressed (input/output/rootpack)
|
||||
- `subjects`: OCI digests, Merkle roots per layer
|
||||
- **File store**
|
||||
- Bundles stored as `<sha256>.tar.zst`
|
||||
## Storage
|
||||
|
||||
- **Mongo collections**
|
||||
- `replay_runs`: manifest + DSSE envelopes + status
|
||||
- `bundles`: content-addressed (input/output/rootpack)
|
||||
- `subjects`: OCI digests, Merkle roots per layer
|
||||
- `reachability_facts`: graph & runtime trace references tied to scan subjects
|
||||
- **File store**
|
||||
- Bundles stored as `<sha256>.tar.zst`
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -19,6 +19,7 @@ This playbook enumerates the deterministic replay validation suite. It guides th
|
||||
| T-RETENTION-006 | **Retention Sweep** | Ensure Evidence Locker prunes hot CAS after SLA while preserving cold storage copies. | Evidence Locker, Ops | Replay retention config, audit logs |
|
||||
| T-OFFLINE-007 | **Offline Kit Replay** | Execute `stella replay` using only Offline Kit artifacts. | CLI, Evidence Locker | Offline kit bundle, local RootPack |
|
||||
| T-OPA-008 | **Runbook Drill** | Simulate replay-driven incident response per `docs/runbooks/replay_ops.md`. | Ops Guild, Scanner, Authority | Runbook checklist, incident notes |
|
||||
| T-REACH-009 | **Reachability Replay** | Rehydrate reachability graphs/traces from replay bundles and compare against reachbench fixtures. | Scanner, Signals, Replay | `reachbench-2025-expanded`, reachability CAS references |
|
||||
|
||||
---
|
||||
|
||||
@@ -50,7 +51,8 @@ This playbook enumerates the deterministic replay validation suite. It guides th
|
||||
- [ ] Replay verification metrics ingested into Telemetry Stack dashboards.
|
||||
- [ ] Evidence Locker retention job validated against hot/cold tiers.
|
||||
- [ ] CLI documentation updated with troubleshooting steps observed during tests.
|
||||
- [ ] Runbook drill logged with timestamp and owners in `docs/runbooks/replay_ops.md`.
|
||||
- [ ] Runbook drill logged with timestamp and owners in `docs/runbooks/replay_ops.md`.
|
||||
- [ ] Reachability replay drill captured (`T-REACH-009`) with fixture references and Signals verification logs.
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user