Add determinism tests for verdict artifact generation and update SHA256 sums script
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering. - Created helper methods for generating sample verdict inputs and computing canonical hashes. - Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics. - Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
This commit is contained in:
StellaOps Bot
@@ -1,10 +0,0 @@
|
||||
# Archived: GRAP0101 Integration Checklist
|
||||
|
||||
This checklist was a sprint-era integration note and has been archived to:
|
||||
|
||||
- `docs/_archive/vuln/GRAP0101-integration-checklist.md`
|
||||
|
||||
For current guidance, start from:
|
||||
|
||||
- `docs/20_VULNERABILITY_EXPLORER_GUIDE.md`
|
||||
- `docs/15_UI_GUIDE.md`
|
||||
@@ -1,10 +0,0 @@
|
||||
# Archived: Vulnerability Explorer API Notes
|
||||
|
||||
This page was consolidated into:
|
||||
|
||||
- `docs/20_VULNERABILITY_EXPLORER_GUIDE.md` (concepts)
|
||||
- `docs/09_API_CLI_REFERENCE.md` and module dossiers (API reference)
|
||||
|
||||
The previous draft has been archived to:
|
||||
|
||||
- `docs/_archive/vuln/explorer-api.md`
|
||||
@@ -1,10 +0,0 @@
|
||||
# Archived: Vulnerability Explorer CLI Notes
|
||||
|
||||
This page was consolidated into:
|
||||
|
||||
- `docs/20_VULNERABILITY_EXPLORER_GUIDE.md` (concepts)
|
||||
- `docs/09_API_CLI_REFERENCE.md` and module dossiers (CLI/API reference)
|
||||
|
||||
The previous draft has been archived to:
|
||||
|
||||
- `docs/_archive/vuln/explorer-cli.md`
|
||||
@@ -1,10 +1,25 @@
|
||||
# Archived: Vulnerability Explorer Overview
|
||||
# Vulnerability Explorer Overview (Detailed)
|
||||
|
||||
This page was consolidated into the canonical guides:
|
||||
The Vulnerability Explorer is the evidence-linked triage surface that brings together SBOM facts, advisory/VEX evidence, reachability signals, policy explainability, and operator decisions into a single auditable workflow.
|
||||
|
||||
- `docs/20_VULNERABILITY_EXPLORER_GUIDE.md`
|
||||
- `docs/15_UI_GUIDE.md`
|
||||
This document complements the high-level guide `docs/20_VULNERABILITY_EXPLORER_GUIDE.md` with additional detail and cross-links.
|
||||
|
||||
The previous draft has been archived to:
|
||||
## Core Objects
|
||||
|
||||
- `docs/_archive/vuln/explorer-overview.md`
|
||||
- **Finding record:** the current enriched view of a vulnerability for a specific artifact/context (tenant, artifact/image digest, policy version).
|
||||
- **History:** append-only state transitions suitable for audit and replay.
|
||||
- **Triage actions:** operator actions (assignment, comment, mitigation note, exception request) with provenance.
|
||||
- **Evidence references:** stable pointers to evidence objects (SBOM slices, VEX observations/linksets, reachability proofs, explain traces, attestations).
|
||||
|
||||
## Key Properties
|
||||
|
||||
- **Narrative-first:** default view answers “Can I ship? If not, why? What’s the smallest safe change?”
|
||||
- **Proof-linked:** every important fact links to evidence (no “trust the UI”).
|
||||
- **Quiet by default, never silent:** suppression/muting is reversible and auditable.
|
||||
- **Offline-ready:** evidence bundles are verifiable without online lookups.
|
||||
|
||||
## References
|
||||
|
||||
- High-level guide: `docs/20_VULNERABILITY_EXPLORER_GUIDE.md`
|
||||
- Console operator guide: `docs/15_UI_GUIDE.md`
|
||||
- Module dossier: `docs/modules/vuln-explorer/architecture.md`
|
||||
|
||||
@@ -1,10 +1,32 @@
|
||||
# Archived: Vulnerability Explorer (Using the Console)
|
||||
# Vulnerability Explorer Using the Console
|
||||
|
||||
This page was consolidated into the canonical guides:
|
||||
This document describes the operator workflow for triaging findings in the Console. It is intentionally evidence-first and audit-oriented.
|
||||
|
||||
- `docs/15_UI_GUIDE.md`
|
||||
- `docs/20_VULNERABILITY_EXPLORER_GUIDE.md`
|
||||
## Workflow (Typical)
|
||||
|
||||
The previous draft has been archived to:
|
||||
1. Start from the findings list filtered to the tenant/environment you care about.
|
||||
2. Open a finding to review:
|
||||
- Verdict and “why” summary
|
||||
- Effective VEX status and issuer provenance
|
||||
- Reachability/impact signals (when available)
|
||||
- Policy gate and explain trace
|
||||
3. Record a triage action (assign/comment/mitigation/exception) with justification.
|
||||
4. Export an evidence bundle when review, escalation, or offline verification is required.
|
||||
|
||||
- `docs/_archive/vuln/explorer-using-console.md`
|
||||
## What to Expect in a Finding View
|
||||
|
||||
- Clear tenant context and artifact identifiers
|
||||
- Evidence rail (SBOM, VEX, advisories, reachability, attestations)
|
||||
- History/timeline of state changes and actions (append-only)
|
||||
- Copyable identifiers (finding ID, digests, correlation IDs)
|
||||
|
||||
## Offline / Air-Gap Notes
|
||||
|
||||
- When operating from Offline Kit snapshots, the Console should surface snapshot identity and staleness budgets.
|
||||
- Evidence bundle export is the primary bridge between online and offline review.
|
||||
|
||||
## References
|
||||
|
||||
- Console operator guide: `docs/15_UI_GUIDE.md`
|
||||
- Vulnerability Explorer guide: `docs/20_VULNERABILITY_EXPLORER_GUIDE.md`
|
||||
- Offline Kit: `docs/24_OFFLINE_KIT.md`
|
||||
|
||||
@@ -1,11 +1,22 @@
|
||||
# Archived: Findings Ledger Notes
|
||||
# Findings Ledger and Replay (Vulnerability Explorer)
|
||||
|
||||
This page was consolidated into:
|
||||
The Findings Ledger is the append-only backbone for auditable triage. It records current finding state, history transitions, and operator actions in a way that supports deterministic replay and offline verification.
|
||||
|
||||
- `docs/20_VULNERABILITY_EXPLORER_GUIDE.md`
|
||||
- `docs/modules/findings-ledger/schema.md`
|
||||
- `docs/modules/findings-ledger/merkle-anchor-policy.md`
|
||||
This document provides a conceptual overview; the authoritative schema and hashing rules are in the Findings Ledger module docs.
|
||||
|
||||
The previous draft has been archived to:
|
||||
## What the Ledger Stores
|
||||
|
||||
- `docs/_archive/vuln/findings-ledger.md`
|
||||
- **Finding records:** enriched, policy-derived findings (with references to advisories/VEX/SBOM/reachability and explain traces).
|
||||
- **History:** append-only state transitions with actor identity, justification, and timestamps (UTC).
|
||||
- **Triage actions:** discrete operator actions (comment, assignment, mitigation note, ticket link) with immutable provenance.
|
||||
|
||||
## Replay and Verification
|
||||
|
||||
- Replay reconstructs derived state from append-only history/actions and compares deterministic digests.
|
||||
- Offline bundles include the ledger exports plus integrity metadata so auditors can verify without trusting a live service.
|
||||
|
||||
## References
|
||||
|
||||
- Findings Ledger schema: `docs/modules/findings-ledger/schema.md`
|
||||
- Merkle anchoring policy: `docs/modules/findings-ledger/merkle-anchor-policy.md`
|
||||
- Vulnerability Explorer dossier: `docs/modules/vuln-explorer/architecture.md`
|
||||
|
||||
Reference in New Issue
Block a user