stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Implement VEX document verification system with issuer management and signature verification

Browse Source 
- Added IIssuerDirectory interface for managing VEX document issuers, including methods for registration, revocation, and trust validation.
- Created InMemoryIssuerDirectory class as an in-memory implementation of IIssuerDirectory for testing and single-instance deployments.
- Introduced ISignatureVerifier interface for verifying signatures on VEX documents, with support for multiple signature formats.
- Developed SignatureVerifier class as the default implementation of ISignatureVerifier, allowing extensibility for different signature formats.
- Implemented handlers for DSSE and JWS signature formats, including methods for verification and signature extraction.
- Defined various records and enums for issuer and signature metadata, enhancing the structure and clarity of the verification process.
This commit is contained in:
StellaOps Bot
2025-12-06 13:41:22 +02:00
parent 2141196496
commit 5e514532df
112 changed files with 24861 additions and 211 deletions
Download Patch File Download Diff File Expand all files Collapse all files

165
docs/modules/policy/samples/policy-determinism-fixtures.json Normal file
View File

@@ -0,0 +1,165 @@
{
"$schema": "https://stellaops.org/schemas/policy/determinism-fixture-v1.json",
"version": "1.0.0",
"description": "Determinism fixtures for Policy Engine scoring and decision APIs",
"fixtures": [
{
"fixture_id": "DET-001",
"name": "Basic Scoring Determinism",
"description": "Verify that scoring produces identical output for identical input",
"input": {
"finding_id": "CVE-2024-0001",
"tenant_id": "default",
"profile_id": "risk-profile-001",
"signals": {
"cvss_base": 7.5,
"exploitability": 2.8,
"impact": 5.9
}
},
"expected_output": {
"severity": "high",
"raw_score": 7.5,
"signal_order": ["cvss_base", "exploitability", "impact"],
"assertions": [
"signal_contributions keys are alphabetically ordered",
"scored_at is from context, not wall clock"
]
}
},
{
"fixture_id": "DET-002",
"name": "Multi-Finding Ordering",
"description": "Verify that multiple findings are returned in stable order",
"input": {
"findings": [
{"finding_id": "CVE-2024-0003", "cvss_base": 5.0},
{"finding_id": "CVE-2024-0001", "cvss_base": 9.8},
{"finding_id": "CVE-2024-0002", "cvss_base": 7.5}
]
},
"expected_output": {
"finding_order": ["CVE-2024-0001", "CVE-2024-0002", "CVE-2024-0003"],
"assertions": [
"findings sorted alphabetically by finding_id",
"order is stable across multiple runs"
]
}
},
{
"fixture_id": "DET-003",
"name": "Decision Summary Ordering",
"description": "Verify severity counts are in canonical order",
"input": {
"decisions": [
{"severity": "low", "count": 5},
{"severity": "critical", "count": 1},
{"severity": "medium", "count": 3},
{"severity": "high", "count": 2}
]
},
"expected_output": {
"severity_order": ["critical", "high", "medium", "low", "info"],
"assertions": [
"severity_counts keys follow canonical order",
"missing severities are either omitted or zero-filled consistently"
]
}
},
{
"fixture_id": "DET-004",
"name": "Deprecated Field Absence (v2.0)",
"description": "Verify deprecated fields are not present in v2.0 output",
"input": {
"finding_id": "CVE-2024-0001",
"cvss_base": 7.5,
"version": "2.0"
},
"expected_output": {
"absent_fields": [
"normalized_score",
"top_severity_sources",
"source_rank"
],
"present_fields": [
"severity",
"raw_score",
"trust_weights"
],
"assertions": [
"normalized_score is not serialized",
"trust_weights replaces top_severity_sources"
]
}
},
{
"fixture_id": "DET-005",
"name": "Legacy Compatibility Mode (v1.5)",
"description": "Verify deprecated fields are present when legacy mode enabled",
"input": {
"finding_id": "CVE-2024-0001",
"cvss_base": 7.5,
"options": {
"include_legacy_normalized_score": true
}
},
"expected_output": {
"present_fields": [
"normalized_score",
"severity",
"raw_score"
],
"assertions": [
"normalized_score is present for backwards compatibility",
"severity is canonical (high, not HIGH)"
]
}
},
{
"fixture_id": "DET-006",
"name": "Signal Contribution Ordering",
"description": "Verify signal contributions maintain stable key order",
"input": {
"signals": {
"zeta_factor": 0.5,
"alpha_score": 1.0,
"beta_weight": 0.75
}
},
"expected_output": {
"contribution_order": ["alpha_score", "beta_weight", "zeta_factor"],
"assertions": [
"signal_contributions keys are alphabetically sorted",
"contribution values are deterministic decimals"
]
}
},
{
"fixture_id": "DET-007",
"name": "Timestamp Determinism",
"description": "Verify timestamps come from context, not wall clock",
"input": {
"finding_id": "CVE-2024-0001",
"context": {
"evaluation_time": "2025-12-06T10:00:00Z"
}
},
"expected_output": {
"scored_at": "2025-12-06T10:00:00Z",
"assertions": [
"scored_at matches context.evaluation_time exactly",
"no random GUIDs in output"
]
}
}
],
"test_requirements": {
"snapshot_equality": "Identical inputs must produce byte-for-byte identical JSON",
"cross_environment": "Output must match across CI, local, and production",
"ordering_stability": "Collection order must be deterministic and documented"
},
"migration_notes": {
"v1.5": "Enable legacy mode with include_legacy_normalized_score for backwards compatibility",
"v2.0": "Remove all deprecated fields, trust_weights replaces source ranking"
}
}

43
docs/modules/policy/samples/policy-normalized-field-removal-after.json Normal file
View File

@@ -0,0 +1,43 @@
{
"$schema": "https://stellaops.org/schemas/policy/scoring-result-v2.json",
"description": "Sample scoring result AFTER normalized field removal (canonical format)",
"scoring_result": {
"finding_id": "CVE-2024-1234",
"tenant_id": "default",
"profile_id": "risk-profile-001",
"profile_version": "1.2.0",
"raw_score": 7.5,
"severity": "high",
"signal_values": {
"cvss_base": 7.5,
"exploitability": 2.8,
"impact": 5.9
},
"scored_at": "2025-12-06T10:00:00Z",
"profile_hash": "sha256:abc123def456..."
},
"decision_summary": {
"total_decisions": 5,
"total_conflicts": 1,
"severity_counts": {
"critical": 0,
"high": 3,
"medium": 2,
"low": 0
},
"trust_weights": {
"nvd": 1.0,
"vendor-advisory": 0.8
}
},
"migration_notes": {
"removed_fields": ["normalized_score", "top_severity_sources"],
"added_fields": ["profile_hash", "trust_weights"],
"canonical_severity_mapping": {
"0.0-3.9": "low",
"4.0-6.9": "medium",
"7.0-8.9": "high",
"9.0-10.0": "critical"
}
}
}

41
docs/modules/policy/samples/policy-normalized-field-removal-before.json Normal file
View File

@@ -0,0 +1,41 @@
{
"$schema": "https://stellaops.org/schemas/policy/scoring-result-v1.json",
"description": "Sample scoring result BEFORE normalized field removal (legacy format)",
"scoring_result": {
"finding_id": "CVE-2024-1234",
"tenant_id": "default",
"profile_id": "risk-profile-001",
"profile_version": "1.2.0",
"raw_score": 7.5,
"normalized_score": 0.75,
"severity": "high",
"signal_values": {
"cvss_base": 7.5,
"exploitability": 2.8,
"impact": 5.9
},
"scored_at": "2025-12-06T10:00:00Z"
},
"decision_summary": {
"total_decisions": 5,
"total_conflicts": 1,
"severity_counts": {
"critical": 0,
"high": 3,
"medium": 2,
"low": 0
},
"top_severity_sources": [
{
"source": "nvd",
"total_weight": 1.0,
"finding_count": 3
},
{
"source": "vendor-advisory",
"total_weight": 0.8,
"finding_count": 2
}
]
}
}