stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint: save features

Browse Source
This commit is contained in:
master
2026-02-12 10:27:23 +02:00
parent dca86e1248
commit 5bca406787
8837 changed files with 1796879 additions and 5294 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/features/checked/binaryindex/binary-to-vex-claim-auto-generation.md Normal file
View File

@@ -0,0 +1,32 @@
# Binary-to-VEX Claim Auto-Generation (VexBridge Library)
## Module
BinaryIndex
## Status
VERIFIED
## Description
Automated generation of VEX claims from binary fingerprint match results. The VexBridge library translates binary match evidence into DSSE-signed VEX statements with confidence scores, enabling automated VEX claim production from binary analysis without manual triage.
## Implementation Details
- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/`
- **Key Classes**:
- `VexEvidenceGenerator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/VexEvidenceGenerator.cs`) - generates VEX observations from `BinaryVulnMatch` results; maps `FixState` to `VexClaimStatus` (Fixed -> NotAffected, Vulnerable -> Affected, Unknown -> UnderInvestigation)
- `BinaryMatchEvidenceSchema` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/BinaryMatchEvidenceSchema.cs`) - defines evidence schema with match type constants (BuildId, DeltaSignature, etc.)
- `VexBridgeOptions` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/VexBridgeOptions.cs`) - configuration for confidence thresholds
- `DeltaSigVexBridge` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/VexIntegration/DeltaSigVexBridge.cs`) - bridges delta-signature analysis results into VEX observations with provenance data
- **Interfaces**: `IVexEvidenceGenerator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/IVexEvidenceGenerator.cs`), `IDeltaSigVexBridge`
## E2E Test Plan
- [ ] Generate a VEX claim from a `Fixed` binary match and verify status is `NotAffected` with justification `VulnerableCodeNotPresent`
- [ ] Generate a VEX claim from a `Vulnerable` match and verify status is `Affected`
- [ ] Generate a VEX claim from an `Unknown` match and verify status is `UnderInvestigation`
- [ ] Verify confidence threshold enforcement: low-confidence matches below threshold are rejected
- [ ] Verify Build-ID references are included in VEX evidence when present
- [ ] Verify `DeltaSigVexBridge` produces VEX observations with symbol provenance metadata
- [ ] Verify generated VEX statements include correct DSSE evidence references
## Verification
- Verified by QA FLOW run `run-001` on 2026-02-11.
- Evidence: `docs/qa/feature-checks/runs/binaryindex/binary-to-vex-claim-auto-generation/run-001/` (Tier 0/1/2 artifacts).