tests fixes and some product advisories tunes ups

2026-01-30 07:57:43 +02:00
parent 644887997c
commit 55744f6a39
345 changed files with 26290 additions and 2267 deletions
--- a/demos/binary-micro-witness/README.md
+++ b/demos/binary-micro-witness/README.md
@@ -0,0 +1,114 @@
+# Binary Micro-Witness Golden Demo
+
+This bundle demonstrates binary-level patch verification using StellaOps micro-witnesses.
+
+## Overview
+
+Binary micro-witnesses provide cryptographic proof that a specific binary contains (or doesn't contain) a security fix. This enables auditors and procurement teams to verify patch status without source code access.
+
+## Contents
+
+```
+binary-micro-witness/
+├── README.md                    # This file
+├── witnesses/
+│   ├── openssl-cve-2024-0567.json    # Sample witness for OpenSSL CVE
+│   └── libcurl-cve-2023-38545.json   # Sample witness for curl CVE
+├── verify.ps1                   # PowerShell verification script
+├── verify.sh                    # Bash verification script
+└── CHECKSUMS.sha256             # Deterministic checksums for all files
+```
+
+## Quick Start
+
+### Windows (PowerShell)
+```powershell
+.\verify.ps1 -WitnessPath witnesses\openssl-cve-2024-0567.json
+```
+
+### Linux/macOS (Bash)
+```bash
+chmod +x verify.sh
+./verify.sh witnesses/openssl-cve-2024-0567.json
+```
+
+## Threat Model & Scope
+
+### What Micro-Witnesses Prove
+- A specific binary (identified by SHA-256) was analyzed
+- The analysis compared function-level signatures against known vulnerable/patched versions
+- A confidence score indicates how certain the verdict is
+
+### What Micro-Witnesses Do NOT Prove
+- That the binary came from a trusted source (that's what SBOM + attestations are for)
+- That the analysis is 100% accurate (confidence scores indicate uncertainty)
+- That other vulnerabilities don't exist (only the specified CVE is verified)
+
+### Limitations
+- Function-level matching can be affected by heavy compiler optimizations
+- Inlined functions may not be detected
+- Obfuscated binaries may yield "inconclusive" verdicts
+
+## Offline Verification
+
+This bundle is designed for air-gapped environments:
+1. No network access required
+2. All verification logic is self-contained
+3. Checksums allow integrity verification
+
+## Predicate Schema
+
+Witnesses follow the `https://stellaops.dev/predicates/binary-micro-witness@v1` schema:
+
+```json
+{
+  "schemaVersion": "1.0.0",
+  "binary": {
+    "digest": "sha256:...",
+    "filename": "libssl.so.3",
+    "arch": "linux-amd64"
+  },
+  "cve": {
+    "id": "CVE-2024-0567",
+    "advisory": "https://..."
+  },
+  "verdict": "patched|vulnerable|inconclusive",
+  "confidence": 0.95,
+  "evidence": [
+    {
+      "function": "SSL_CTX_new",
+      "state": "patched",
+      "score": 0.97,
+      "method": "semantic_ksg"
+    }
+  ],
+  "tooling": {
+    "binaryIndexVersion": "2.1.0",
+    "lifter": "b2r2",
+    "matchAlgorithm": "semantic_ksg"
+  },
+  "computedAt": "2026-01-28T12:00:00Z"
+}
+```
+
+## Reproduction
+
+To regenerate witnesses using the StellaOps CLI:
+
+```bash
+# Generate a witness
+stella witness generate /path/to/libssl.so.3 --cve CVE-2024-0567 --output witness.json
+
+# Verify a witness
+stella witness verify witness.json --offline
+
+# Create an air-gapped bundle
+stella witness bundle witness.json --output ./bundle
+```
+
+## Version Information
+
+- **Demo Version**: 1.0.0
+- **Schema Version**: binary-micro-witness@v1
+- **Generated**: 2026-01-28
+- **Sprint**: SPRINT_0128_001_BinaryIndex_binary_micro_witness