feat: Add archived advisories and implement smart-diff as a core evidence primitive

- Introduced new advisory documents for archived superseded advisories, including detailed descriptions of features already implemented or covered by existing sprints. - Added "Smart-Diff as a Core Evidence Primitive" advisory outlining the treatment of SBOM diffs as first-class evidence objects, enhancing vulnerability verdicts with deterministic replayability. - Created "Visual Diffs for Explainable Triage" advisory to improve user experience in understanding policy decisions and reachability changes through visual diffs. - Implemented "Weighted Confidence for VEX Sources" advisory to rank conflicting vulnerability evidence based on freshness and confidence, facilitating better decision-making. - Established a signer module charter detailing the mission, expectations, key components, and signing modes for cryptographic signing services in StellaOps. - Consolidated overlapping concepts from triage UI, visual diffs, and risk budget visualization advisories into a unified specification for better clarity and implementation tracking.
2025-12-26 13:01:43 +02:00
parent 22390057fc
commit 7792749bb4
50 changed files with 6844 additions and 130 deletions
--- a/docs/product-advisories/26-Dec-2026
+++ b/docs/product-advisories/26-Dec-2026
@@ -1,11 +1,49 @@
-Here’s a compact blueprint for a **binary‑level knowledge base** that maps ELF Build‑IDs / PE signatures to vulnerable functions, patch lineage, and reachability hints—so your scanner can act like a provenance‑aware “binary oracle,” not just a CVE lookup.
+# Mapping a Binary Intelligence Graph
+
+> **Status:** SUPERSEDED
+> **Date:** 2026-12-26
+> **Updated:** 2025-12-26
+> **Superseded By:** BinaryIndex Module Architecture
+> **Related Sprints:** [`SPRINT_20251226_011_BINIDX_known_build_catalog.md`](../implplan/SPRINT_20251226_011_BINIDX_known_build_catalog.md), [`SPRINT_20251226_012_BINIDX_backport_handling.md`](../implplan/SPRINT_20251226_012_BINIDX_backport_handling.md), [`SPRINT_20251226_013_BINIDX_fingerprint_factory.md`](../implplan/SPRINT_20251226_013_BINIDX_fingerprint_factory.md), [`SPRINT_20251226_014_BINIDX_scanner_integration.md`](../implplan/SPRINT_20251226_014_BINIDX_scanner_integration.md)
+
+---
+
+## Supersession Notice
+
+This advisory has been **superseded** by the comprehensive BinaryIndex module architecture. All proposals in this advisory are covered by the existing design:
+
+| Advisory Proposal | Implementation | Location |
+|-------------------|----------------|----------|
+| artifacts table | `binaries.binary_identity` | `docs/modules/binaryindex/architecture.md` |
+| symbols table | `BinaryFeatures` in `IBinaryFeatureExtractor` | `src/BinaryIndex/__Libraries/.../Services/` |
+| vuln_segments (byte_sig/patch_sig) | `VulnFingerprint` model | `src/BinaryIndex/__Libraries/.../Fingerprints/` |
+| matches table | `FingerprintMatch` model | `src/BinaryIndex/__Libraries/.../Fingerprints/` |
+| reachability_hints | `ReachabilityStatus` enum | `src/BinaryIndex/__Libraries/.../Models/` |
+| Build-ID/PE indexer | `ElfFeatureExtractor`, `IBinaryFeatureExtractor` | `src/BinaryIndex/__Libraries/.../Services/` |
+| Patch-aware handling | `FixEvidence`, changelog/patch parsers | `src/BinaryIndex/__Libraries/.../FixIndex/` |
+| Corpus connectors | `DebianCorpusConnector`, `IBinaryCorpusConnector` | `src/BinaryIndex/__Libraries/.../Corpus/` |
+
+### Related Archived Advisories
+
+- `18-Dec-2025 - Building Better Binary Mapping and Call‑Stack Reachability.md`
+- `23-Dec-2026 - Binary Mapping as Attestable Proof.md`
+
+### Related Active Advisories
+
+- `25-Dec-2025 - Evolving Evidence Models for Reachability.md` - Runtime → build braid, eBPF sampling
+
+---
+
+## Original Advisory Content
+
+Here's a compact blueprint for a **binary‑level knowledge base** that maps ELF Build‑IDs / PE signatures to vulnerable functions, patch lineage, and reachability hints—so your scanner can act like a provenance‑aware "binary oracle," not just a CVE lookup.

 ---

 # Why this matters (in plain terms)

 * **Same version ≠ same risk.** Distros (and vendors) frequently **backport** fixes without bumping versions. Only the **binary** tells the truth.
-* **Function‑level matching** turns noisy “package has CVE” into precise “this exact function range is vulnerable in your binary.”
+* **Function‑level matching** turns noisy "package has CVE" into precise "this exact function range is vulnerable in your binary."
 * **Reachability hints** cut triage noise by ranking vulns the code path can actually hit at runtime.

 ---
@@ -40,7 +78,7 @@ Keep it tiny so it grows with real evidence:
 * `patch_sig` (pattern from fixed hunk)
 * `evidence_ref` (link to patch diff, commit, or NVD note)
 * `backport_flag` (bool)
-* `introduced_in`, `fixed_in` (semver-ish text; note “backport” when used)
+* `introduced_in`, `fixed_in` (semver-ish text; note "backport" when used)

 **matches**

@@ -57,7 +95,7 @@ Keep it tiny so it grows with real evidence:

 ---

-# How the oracle answers “Am I affected?”
+# How the oracle answers "Am I affected?"

 1. **Identify**: Look up by Build‑ID / PE signature; fall back to file hash.
 2. **Locate**: Map symbols → address ranges; scan for `byte_sig`/`patch_sig`.
@@ -81,10 +119,10 @@ Keep it tiny so it grows with real evidence:

 ---

-# Deterministic verdicts (fit to Stella Ops)
+# Deterministic verdicts (fit to Stella Ops)

 * **Inputs**: `(artifact fingerprint, vuln_segments@version, reachability@policy)`
-* **Output**: **Signed OCI attestation** “verdict.json” (same inputs → same verdict).
+* **Output**: **Signed OCI attestation** "verdict.json" (same inputs → same verdict).
 * **Replay**: keep rule bundle & feed hashes for audit.
 * **Backport precedence**: `patch_sig` beats package version claims every time.

@@ -94,7 +132,7 @@ Keep it tiny so it grows with real evidence:

 * Add a **Build‑ID/PE indexer** to Scanner.
 * Teach Feedser/Vexer to ingest `vuln_segments` (with `byte_sig`/`patch_sig`).
-* Implement matching + verdict attestation; surface **“Backported & Safe”** vs **“Affected & Reachable”** badges in UI.
+* Implement matching + verdict attestation; surface **"Backported & Safe"** vs **"Affected & Reachable"** badges in UI.
 * Seed DB with 10 high‑impact CVEs (OpenSSL, zlib, xz, glibc, libxml2, curl, musl, busybox, OpenSSH, sudo).

 ---
@@ -135,11 +173,3 @@ create table reachability_hints(
  symbol_name text, hint_type text, weight int
 );
 ```
-
---
-
-If you want, I can:
-
-* drop in a tiny **.NET 10** matcher (ELF/PE parsers + byte‑window scanner),
-* wire verdicts as **OCI attestations** in your current pipeline,
-* and prep the first **10 CVE byte/patch signatures** to seed the DB.