stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add determinism tests for verdict artifact generation and update SHA256 sums script

Browse Source 
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering.
- Created helper methods for generating sample verdict inputs and computing canonical hashes.
- Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics.
- Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
This commit is contained in:
StellaOps Bot
2025-12-24 02:17:34 +02:00
parent e59921374e
commit 7503c19b8f
390 changed files with 37389 additions and 5380 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
docs/vex/consensus-overview.md
View File

@@ -1,6 +1,31 @@
# Archived: VEX Consensus Overview
# VEX Evidence and Consensus (Detailed)
This document was consolidated during docs cleanup.
This document complements `docs/16_VEX_CONSENSUS_GUIDE.md` with implementation-oriented detail: what objects exist, how evidence is correlated without rewriting sources, and what “consensus” means in practice.
- Canonical guide: `docs/16_VEX_CONSENSUS_GUIDE.md`
- Module dossiers: `docs/modules/excititor/architecture.md`, `docs/modules/vex-lens/architecture.md`
## Pipeline (Evidence First)
1. **Ingest raw VEX** as immutable observations (append-only, provenance preserved).
2. **Normalize** observations into tuples used for correlation and UI display.
3. **Correlate** tuples into deterministic linksets (grouping without merge or precedence).
4. **Compute consensus (optional)** using issuer trust and lattice rules to produce an “effective” status and conflict summary.
5. **Expose evidence** to Policy Engine, Console, and Vulnerability Explorer; include in Offline Kit snapshots.
## Core Objects
- **Raw observation:** upstream OpenVEX/CSAF/CycloneDX payload stored losslessly with provenance (issuer/provider, receive time, signature verification, content digest).
- **Normalized tuple:** extracted fields used for correlation and decisioning, typically `(vulnerabilityId, productKey, status, justification?, scope?, timestamp, sourceDigest)`.
- **Linkset:** a correlation group tying multiple tuples to the same conceptual `(vulnerabilityId, productKey)` without collapsing disagreements.
- **Consensus record:** a deterministic summary for a linkset: effective status, confidence/weight, and conflict list (still referencing raw evidence).
## Determinism Guarantees
- Canonical UTF-8 JSON bytes are hashed to compute stable digests for raw observations.
- Linkset IDs are derived from canonical, sorted key material.
- Consensus outputs are stable for identical inputs: ordering, timestamps, and digests are deterministic.
## Where This Lives
- Ingestion, raw store, and linksets: `docs/modules/excititor/architecture.md`
- Consensus and issuer trust: `docs/modules/vex-lens/architecture.md`
- Console/operator view: `docs/15_UI_GUIDE.md`
- Triage model: `docs/20_VULNERABILITY_EXPLORER_GUIDE.md`