tests fixes and sprints work

2026-01-22 19:08:46 +02:00
parent c32fff8f86
commit 726d70dc7f
881 changed files with 134434 additions and 6228 deletions
--- a/etc/trust-profiles/assets/ca.crt
+++ b/etc/trust-profiles/assets/ca.crt
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE0TCCArkCFDKF9uZOnv4aZOLZaMxkCQRXh8WaMA0GCSqGSIb3DQEBCwUAMCUx
+IzAhBgNVBAMMGlN0ZWxsYU9wcyBEZXYgVGVsZW1ldHJ5IENBMB4XDTI1MTEwNTEz
+MTQxNloXDTI2MTEwNTEzMTQxNlowJTEjMCEGA1UEAwwaU3RlbGxhT3BzIERldiBU
+ZWxlbWV0cnkgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCsyoJs
+EiYwwH+3FeQGxh0C2e3c6QscMy3Vd+RY5RfVjtWjv7aRfCPegOEf9xARzoy+he2c
+42QaBvSnxZ43yDzKMYTwFkGwi1qFF68dqr8gb4iww3kf+YE09XI7zngH185v1NKi
+Mo61iYTkbf3Er6VqYhsDNGVEQQt4g+JXeTHORxmEJUef36ZqLPCGNnRP/HGxvrLH
+FDjUBCpkjhEUoP7Aqm5hbPcC8KUpKerGBirNsbvuhja+qUhglpdsihgdAiWHUrf1
+lUgQAHDAfM8AtG+v6uWu+0LkxIHc31EAMRn46ZpDZP6Paye9vfJdV4GM387vU5Ts
+0ugdn8BX9PAvCxOhqJ2Lp2Es3Umg0bBa9iYB/KUdhDp+WmVCcUGthmx/V03dwhEu
+Abqdi9J6ngMIBjB7RPOuTZYPgb9y8YdLKDjOMTzIUGLGWk5Q7OhiGMZYowFRa1G
+0ZhOqiV2N9GrCt2wFAqlLEork07zwmeeDfE/7xrkDqc0jNjf8WoLqcVPhsLLpToT
+4oG40WIHdbMmjw5dXoFUcqLWKKkLvo5R9LXbR8zlHDlELlbMX31DH7aOeqlB7Jx+
+Ya9fwNngEalvrci3WT/CV5bfxXAK57U+ffnYuzhrn3S5PQ4eCQ7QNTC+LZEiJ4XP
+X/KygY1aPFWzQkmPkrBgz/5dS5wfLeHO36ckRwIDAQABMA0GCSqGSIb3DQEBCwUA
+A4ICAQBy353C03SUJC38Ukpq5Gwp3xX/MViM9tcv+G25DFNxz7334glgpeVqQ9HD
+r42DwHaJjudWiTEZ73B2cf3Bs1DLpRLFk9AqsNVp+IlFKBRNgWDyev5UnRhDS/c5
+4MbwVr54Sn/6KVy56MEBLanQLgRB9iHhwekZYZpVkKS8gvdvMzkdj0kJJSYaMJSc
+0TzeL6nQHCuczI9lQ8ofV7yj1s3+XerzC3eKrze3iqc6o6J9163e6rPtm20plaEC
+fgo9NCjB9IRlBdsUuzFUYfgqsN7eisGHKXpFeA4D+Ox47v8uBCtK7zxrd3blvgts
+uNdJImGnjSRXB1C2KNjluCIaTvET4a8cq1nFUAlnA4pJXGwlRkJW42ncKUfEeIGN
+YltnLiwwf2PR/NCpFg+dMvrGwHKe0vHJluJi4cuvlnyh7YjEnn/2fDqUBwXfL7wW
+bRq1oC+o6Vd526BwQiysmp8bwkzsoZEgqSXYEiyP/PMBDrHvTWWi7Uj0mFSJfNIK
+r/3XbKCLfaCqZgm5CjFzpgy71aNMJE5NC7lKJNt7P67ZsyBDEYPleNIlTI9CZBY5
+ChaLedsHqEZgMcD3Hj5ETha8gbIf/07bMvFd/P6+lKq7IRwjozBAx7r8xrfepb0E
+OYqSDgxoHRhYoJzAbrY8w3rhmubb9we/HxcYBlunnN20c8lL6g==
+-----END CERTIFICATE-----
--- a/etc/trust-profiles/assets/rekor-public.pem
+++ b/etc/trust-profiles/assets/rekor-public.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyi7gVscxgRXQzX5ErNuQFN3dPjVw
+YzU0JE3PGhjSinBwpODxtweLfP6zw2N6f0H9z25t8HwTpFeuk1PWqTX7Gg==
+-----END PUBLIC KEY-----
--- a/etc/trust-profiles/bg-gov.trustprofile.json
+++ b/etc/trust-profiles/bg-gov.trustprofile.json
@@ -0,0 +1,36 @@
+{
+  "profileId": "bg-gov",
+  "name": "Bulgaria Government",
+  "description": "Bulgarian government trust profile (placeholder roots).",
+  "trustRoots": [
+    {
+      "id": "stella-dev-ca",
+      "path": "assets/ca.crt",
+      "algorithm": "x509",
+      "purpose": "signing",
+      "sha256": "54b2995318c07ed8334cce855fba7180b7cab401bbdad63aebd23ac61731b005"
+    }
+  ],
+  "rekorKeys": [
+    {
+      "id": "stella-dev-rekor",
+      "path": "assets/rekor-public.pem",
+      "algorithm": "ecdsa-p256",
+      "purpose": "rekor",
+      "sha256": "b31391a777c2f82f831805fba78705ce1bad703afbcd23b733c824cc4cc6da7b"
+    }
+  ],
+  "tsaRoots": [
+    {
+      "id": "stella-dev-tsa",
+      "path": "assets/ca.crt",
+      "algorithm": "x509",
+      "purpose": "tsa",
+      "sha256": "54b2995318c07ed8334cce855fba7180b7cab401bbdad63aebd23ac61731b005"
+    }
+  ],
+  "metadata": {
+    "compliance": "bg-gov",
+    "status": "placeholder"
+  }
+}
--- a/etc/trust-profiles/eu-eidas.trustprofile.json
+++ b/etc/trust-profiles/eu-eidas.trustprofile.json
@@ -0,0 +1,36 @@
+{
+  "profileId": "eu-eidas",
+  "name": "EU eIDAS",
+  "description": "EU eIDAS trust profile (placeholder roots).",
+  "trustRoots": [
+    {
+      "id": "stella-dev-ca",
+      "path": "assets/ca.crt",
+      "algorithm": "x509",
+      "purpose": "signing",
+      "sha256": "54b2995318c07ed8334cce855fba7180b7cab401bbdad63aebd23ac61731b005"
+    }
+  ],
+  "rekorKeys": [
+    {
+      "id": "stella-dev-rekor",
+      "path": "assets/rekor-public.pem",
+      "algorithm": "ecdsa-p256",
+      "purpose": "rekor",
+      "sha256": "b31391a777c2f82f831805fba78705ce1bad703afbcd23b733c824cc4cc6da7b"
+    }
+  ],
+  "tsaRoots": [
+    {
+      "id": "stella-dev-tsa",
+      "path": "assets/ca.crt",
+      "algorithm": "x509",
+      "purpose": "tsa",
+      "sha256": "54b2995318c07ed8334cce855fba7180b7cab401bbdad63aebd23ac61731b005"
+    }
+  ],
+  "metadata": {
+    "compliance": "eu-eidas",
+    "status": "placeholder"
+  }
+}
--- a/etc/trust-profiles/global.trustprofile.json
+++ b/etc/trust-profiles/global.trustprofile.json
@@ -0,0 +1,36 @@
+{
+  "profileId": "global",
+  "name": "Global default",
+  "description": "Default trust profile for offline verification (placeholder roots).",
+  "trustRoots": [
+    {
+      "id": "stella-dev-ca",
+      "path": "assets/ca.crt",
+      "algorithm": "x509",
+      "purpose": "signing",
+      "sha256": "54b2995318c07ed8334cce855fba7180b7cab401bbdad63aebd23ac61731b005"
+    }
+  ],
+  "rekorKeys": [
+    {
+      "id": "stella-dev-rekor",
+      "path": "assets/rekor-public.pem",
+      "algorithm": "ecdsa-p256",
+      "purpose": "rekor",
+      "sha256": "b31391a777c2f82f831805fba78705ce1bad703afbcd23b733c824cc4cc6da7b"
+    }
+  ],
+  "tsaRoots": [
+    {
+      "id": "stella-dev-tsa",
+      "path": "assets/ca.crt",
+      "algorithm": "x509",
+      "purpose": "tsa",
+      "sha256": "54b2995318c07ed8334cce855fba7180b7cab401bbdad63aebd23ac61731b005"
+    }
+  ],
+  "metadata": {
+    "compliance": "global",
+    "status": "placeholder"
+  }
+}
--- a/etc/trust-profiles/us-fips.trustprofile.json
+++ b/etc/trust-profiles/us-fips.trustprofile.json
@@ -0,0 +1,36 @@
+{
+  "profileId": "us-fips",
+  "name": "US FIPS",
+  "description": "US FIPS trust profile (placeholder roots).",
+  "trustRoots": [
+    {
+      "id": "stella-dev-ca",
+      "path": "assets/ca.crt",
+      "algorithm": "x509",
+      "purpose": "signing",
+      "sha256": "54b2995318c07ed8334cce855fba7180b7cab401bbdad63aebd23ac61731b005"
+    }
+  ],
+  "rekorKeys": [
+    {
+      "id": "stella-dev-rekor",
+      "path": "assets/rekor-public.pem",
+      "algorithm": "ecdsa-p256",
+      "purpose": "rekor",
+      "sha256": "b31391a777c2f82f831805fba78705ce1bad703afbcd23b733c824cc4cc6da7b"
+    }
+  ],
+  "tsaRoots": [
+    {
+      "id": "stella-dev-tsa",
+      "path": "assets/ca.crt",
+      "algorithm": "x509",
+      "purpose": "tsa",
+      "sha256": "54b2995318c07ed8334cce855fba7180b7cab401bbdad63aebd23ac61731b005"
+    }
+  ],
+  "metadata": {
+    "compliance": "us-fips",
+    "status": "placeholder"
+  }
+}
--- a/etc/weights/v2026-01-22.weights.json
+++ b/etc/weights/v2026-01-22.weights.json
@@ -0,0 +1,50 @@
+{
+  "version": "v2026-01-22",
+  "effective_from": "2026-01-22T00:00:00Z",
+  "description": "EWS default weights - extracted from EvidenceWeights.Default",
+  "weights": {
+    "rch": 0.30,
+    "rts": 0.25,
+    "bkp": 0.15,
+    "xpl": 0.15,
+    "src": 0.10,
+    "mit": 0.10
+  },
+  "dimension_names": {
+    "rch": "Reachability",
+    "rts": "Runtime Signal",
+    "bkp": "Backport Evidence",
+    "xpl": "Exploit Likelihood",
+    "src": "Source Trust",
+    "mit": "Mitigation Effectiveness"
+  },
+  "subtractive_dimensions": ["mit"],
+  "guardrails": {
+    "speculative_cap": 45,
+    "not_affected_cap": 15,
+    "runtime_floor": 60
+  },
+  "buckets": {
+    "act_now_min": 90,
+    "schedule_next_min": 70,
+    "investigate_min": 40
+  },
+  "determinization_thresholds": {
+    "manual_review_entropy": 0.60,
+    "refresh_entropy": 0.40
+  },
+  "signal_weights_for_entropy": {
+    "vex": 0.25,
+    "reachability": 0.25,
+    "epss": 0.15,
+    "runtime": 0.15,
+    "backport": 0.10,
+    "sbom_lineage": 0.10
+  },
+  "notes": [
+    "RCH and RTS carry highest weights as they provide strongest risk signal",
+    "MIT is the only subtractive dimension (mitigations reduce risk)",
+    "Guardrails are applied after weighted sum calculation",
+    "Entropy thresholds align with Determinization config"
+  ]
+}