stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: Add archived advisories and implement smart-diff as a core evidence primitive

Browse Source 
- Introduced new advisory documents for archived superseded advisories, including detailed descriptions of features already implemented or covered by existing sprints.
- Added "Smart-Diff as a Core Evidence Primitive" advisory outlining the treatment of SBOM diffs as first-class evidence objects, enhancing vulnerability verdicts with deterministic replayability.
- Created "Visual Diffs for Explainable Triage" advisory to improve user experience in understanding policy decisions and reachability changes through visual diffs.
- Implemented "Weighted Confidence for VEX Sources" advisory to rank conflicting vulnerability evidence based on freshness and confidence, facilitating better decision-making.
- Established a signer module charter detailing the mission, expectations, key components, and signing modes for cryptographic signing services in StellaOps.
- Consolidated overlapping concepts from triage UI, visual diffs, and risk budget visualization advisories into a unified specification for better clarity and implementation tracking.
This commit is contained in:
StellaOps Bot
2025-12-26 13:01:43 +02:00
parent 22390057fc
commit 7792749bb4
50 changed files with 6844 additions and 130 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
docs/product-advisories/archived/2025-12-26-superseded/25-Dec-2025 - Implementing Diff‑Aware Release Gates.md Normal file
View File

@@ -0,0 +1,123 @@
Heres a simple, practical way to make **release gates** that autodecide if a build is “routine” or “risky” by comparing the *semantic delta* across SBOMs, VEX data, and dependency graphs—so product managers can approve (or defer) with evidence, not guesswork.
### What this means (quick background)
* **SBOM**: a bill of materials for your build (what components you ship).
* **VEX**: vendor statements about whether known CVEs actually affect a product/version.
* **Dependency graph**: how components link together at build/runtime.
* **Semantic delta**: not just “files changed,” but “riskrelevant meaning changed” (e.g., new reachable vuln path, new privileged capability, downgraded VEX confidence).
---
### The gates core signal (one line)
**Risk Verdict = f(ΔSBOM, ΔReachability, ΔVEX, ΔConfig/Capabilities, ΔExploitability)** → Routine | Review | Block
---
### Minimal data you need per release
* **SBOM (CycloneDX/SPDX)** for previous vs current release.
* **Reachability subgraph**: which vulnerable symbols/paths are actually callable (source, package, binary, or eBPF/runtime).
* **VEX claims** merged from vendors/distros/internal (with trust scores).
* **Policy knobs**: env tier (prod vs dev), allowed unknowns, max risk budget, critical assets list.
* **Exploit context**: EPSS/CISA KEV or your internal exploit sighting, if available.
---
### How to compute the semantic delta (fast path)
1. **Component delta**: new/removed/updated packages → tag each change with severity (critical/securityrelevant vs cosmetic).
2. **Vulnerability delta**:
* New CVEs introduced?
* Old CVEs now mitigated (patch/backport) or declared **notaffected** via VEX?
* Any VEX status regressions (e.g., “notaffected” → “underinvestigation”)?
3. **Reachability delta**:
* Any *new* callpaths to vulnerable functions?
* Any risk removed (path eliminated via config/featureflag/off by default)?
4. **Config/capabilities delta**:
* New container perms (NET_ADMIN, SYS_ADMIN), new open ports, new outbound calls.
* New data flows to sensitive stores.
5. **Exploitability delta**:
* EPSS/KEV jumps; active exploitation signals.
---
### A tiny, useful scoring rubric (defaults you can ship)
* Start at 0. Add:
* +6 if any **reachable** critical vuln (no valid VEX “notaffected”).
* +4 if any **reachable** high vuln.
* +3 if new sensitive capability added (e.g., NET_ADMIN) or new public port opened.
* +2 if VEX status regressed (NA→U/I or Affected).
* +1 per unknown package origin or unsigned artifact (cap at +5).
* Subtract:
* 3 per *proven* mitigation (valid VEX NA with trusted source + reachability proof).
* 2 if vulnerable path is demonstrably gated off in target env (feature flag off + policy evidence).
* Verdict:
* **03** → Routine (autoapprove)
* **47** → Review (PM/Eng signoff)
* **≥8** → Block (require remediation/exception)
*(Tune thresholds per env: e.g., prod stricter than staging.)*
---
### What PMs see (clean UI)
* **Badge**: Routine / Review / Block.
* **Why** (35 bullets):
* “Added `libpng` 1.6.43 (new), CVEXXXX reachable via `DecodePng()`
* “Vendor VEX for `libssl` says notaffected (function not built)”
* “Container gained `CAP_NET_RAW`
* **Evidence buttons**:
* “Show reachability slice” (mini graph)
* “Show VEX sources + trust”
* “Show SBOM diff”
* **Call to action**:
* “Autoremediate to 1.6.44” / “Mark exception” / “Open fix PR”
---
### Exception workflow (auditable)
* Exception must include: scope, expiry, compensating controls, owner, and linked evidence (reachability/VEX).
* Gate reevaluates each release; expired exceptions autofail the gate.
---
### How to wire it into CI/CD (quick recipe)
1. Generate SBOM + reachability slice for `prev` and `curr`.
2. Merge VEX from vendor/distro/internal with trust scoring.
3. Run **Delta Evaluator** → score + verdict + evidence bundle (JSON + attestation).
4. Gate policy checks score vs environment thresholds.
5. Publish an **OCIattached attestation** (DSSE/intoto) so auditors can replay: *same inputs → same verdict*.
---
### Starter policy you can copy
* **Prod**: block on any reachable Critical; review on any reachable High; unknowns ≤ 2; no new privileged caps without exception.
* **Preprod**: review on reachable High/Critical; unknowns ≤ 5.
* **Dev**: allow but flag; collect evidence.
---
### Why this helps immediately
* PMs get **evidencebacked** green/yellow/red, not CVE walls.
* Engineers get **actionable deltas** (what changed that matters).
* Auditors get **replayable proofs** (deterministic verdicts + inputs).
If you want, I can turn this into a readytodrop spec for StellaOps (modules, JSON schemas, attestation format, and a tiny React panel mock) so your team can implement the gate this sprint.

61
docs/product-advisories/archived/2025-12-26-superseded/26-Dec-2026 - Diff‑Aware Releases and Auditable Exceptions.md Normal file
View File

@@ -0,0 +1,61 @@
Heres a tight, practical pattern you can lift for StellaOps: **make exceptions firstclass, auditable objects** and **gate releases on risk deltas (diffaware checks)**—mirroring what top scanners do, but with stronger evidence and autorevalidation.
### 1) Exceptions as auditable objects
Competitor cues
* **Snyk** lets users ignore issues with a required reason and optional expiry (UI/CLI; `.snyk` policy). Ignored items can autoresurface when a fix exists. ([Snyk User Docs][1])
* **Anchore** models **policy allowlists** (named sets of exceptions) applied during evaluation/mapping. ([Anchore Documentation][2])
* **Prisma Cloud** supports vulnerability rules/CVE exceptions to soften or block findings. ([Prisma Cloud][3])
What to ship (StellaOps)
* **Exception entity**: `{scope, subject(CVE/pkg/path), reason(text), evidenceRefs[], createdBy, createdAt, expiresAt?, policyBinding, signature}`
* **Signed rationale + evidence**: require a justification plus **linked proofs** (attestation IDs, VEX note, reachability subgraph slice). Store as an **OCIattached attestation** to the SBOM/VEX artifact.
* **Autoexpiry & revalidation gates**: scheduler retests on expiry or when feeds mark “fix available / EPSS ↑ / reachability ↑”; on failure, **flip gate to “needs rereview”** and notify.
* **Audit view**: timeline of exception lifecycle; show who/why, evidence, and rechecks; exportable as an “audit pack.”
* **Policy hooks**: “allow only if: reason ∧ evidence present ∧ max TTL ≤ X ∧ owner = teamY.”
* **Inheritance**: repo→image→env scoping with explicit shadowing (surface conflicts).
### 2) Diffaware release gates (“delta verdicts”)
Competitor cues
* **Snyk PR Checks** scan *changes* and gate merges with a severity threshold; results show issue diffs per PR. ([Snyk User Docs][4])
What to ship (StellaOps)
* **Graph deltas**: on each commit/image, compute `Δ(SBOM graph, reachability graph, VEX claims)`.
* **Delta verdict** (signed, replayable): `PASS | WARN | FAIL` + **proof links** to:
* attestation bundle (intoto/DSSE),
* **reachability subgraph** showing new execution paths to vulnerable symbols,
* policy evaluation trace.
* **Sidebyside UI**: “before vs after” risks; highlight *newly reachable* vulns and *fixed/mitigated* ones; oneclick **Create Exception** (enforces reason+evidence+TTL).
* **Enforcement knobs**: perbranch/env risk budgets; fail if `unknowns > N` or if any exception lacks evidence/TTL.
* **Supply chain scope**: run the same gate on baseimage bumps and dependency updates.
### Minimal data model (sketch)
* `Exception`: id, scope, subject, reason, evidenceRefs[], ttl, status, sig.
* `DeltaVerdict`: id, baseRef, headRef, changes[], policyOutcome, proofs[], sig.
* `Proof`: type(`attestation|reachability|vex|log`), uri, hash.
### CLI / API ergonomics (examples)
* `stella exception create --cve CVE-2025-1234 --scope image:repo/app:tag --reason "Feature disabled" --evidence att:sha256:… --ttl 30d`
* `stella verify delta --from abc123 --to def456 --policy prod.json --print-proofs`
### Guardrails out of the box
* **No silent ignores**: exceptions are visible in results (action changes, not deletion)—same spirit as Anchore. ([Anchore Documentation][2])
* **Resurface on fix**: if a fix exists, force rereview (parity with Snyk behavior). ([Snyk User Docs][1])
* **Rulebased blocking**: allow “hard/soft fail” like Prisma enforcement. ([Prisma Cloud][5])
If you want, I can turn this into a short product spec (API + UI wireframe + policy snippets) tailored to your StellaOps modules (Policy Engine, Vexer, Attestor).
[1]: https://docs.snyk.io/manage-risk/prioritize-issues-for-fixing/ignore-issues?utm_source=chatgpt.com "Ignore issues | Snyk User Docs"
[2]: https://docs.anchore.com/current/docs/overview/concepts/policy/policies/?utm_source=chatgpt.com "Policies and Evaluation"
[3]: https://docs.prismacloud.io/en/compute-edition/22-12/admin-guide/vulnerability-management/configure-vuln-management-rules?utm_source=chatgpt.com "Vulnerability management rules - Prisma Cloud Documentation"
[4]: https://docs.snyk.io/scan-with-snyk/pull-requests/pull-request-checks?utm_source=chatgpt.com "Pull Request checks | Snyk User Docs"
[5]: https://docs.prismacloud.io/en/enterprise-edition/content-collections/application-security/risk-management/monitor-and-manage-code-build/enforcement?utm_source=chatgpt.com "Enforcement - Prisma Cloud Documentation"

71
docs/product-advisories/archived/2025-12-26-superseded/26-Dec-2026 - Reachability as Cryptographic Proof.md Normal file
View File

@@ -0,0 +1,71 @@
Heres a crisp way to think about “reachability” that makes triage sane and auditable: **treat it like a cryptographic proof**—a minimal, reproducible chain that shows *why* a vuln can (or cannot) hit runtime.
### The idea (plain English)
* **Reachability** asks: “Could data flow from an attacker to the vulnerable code path during real execution?”
* **Proof-carrying reachability** says: “Dont just say yes/no—hand me a *proof chain* I can re-run.”
Think: the shortest, lossless breadcrumb trail from entrypoint → sinks, with the exact build + policy context that made it true.
### What the “proof” contains
1. **Scope hash**: content digests for artifact(s) (image layers, SBOM nodes, commit IDs, compiler flags).
2. **Policy hash**: the decision rules used (e.g., “prod disallows unknowns > 0”; “vendor VEX outranks distro unless backport tag present”).
3. **Graph snippet**: the *minimal subgraph* (call/data/control edges) that connects:
* external entrypoint(s) → user-controlled sources → validators (if any) → vulnerable function(s)/sink(s).
4. **Conditions**: feature flags, env vars, platform guards, version ranges, eBPF-observed edges (if present).
5. **Verdict** (signed): A → {Affected | Not Affected | Under-Constrained} with reason codes.
6. **Replay manifest**: the inputs needed to recompute the same verdict (feeds, rules, versions, hashes).
### Why this helps
* **Auditable**: Every “Not Affected” is defensible (no hand-wavy “scanner says so”).
* **Deterministic**: Same inputs → same verdict (great for change control and regulators).
* **Compact**: You store only the *minimal subgraph*, not the whole monolith.
### Minimal proof example (sketch)
* Artifact: `svc.payments:1.4.7` (image digest `sha256:…`)
* CVE: `CVE-2024-XYZ` in `libyaml 0.2.5`
* Entry: `POST /import`, body → `YamlDeserializer.Parse`
* Guards: none (no schema/whitelist prior to parse)
* Edge chain: `HttpBody → Parse(bytes) → LoadNode() → vulnerable_path()`
* Condition: feature flag `BULK_IMPORT=true`
* Verdict: **Affected**
* Signed DSSE envelope over {scope hash, policy hash, graph snippet JSON, conditions, verdict}.
### How to build it (practical checklist)
* **During build**
* Emit SBOM (source & binary) with function/file symbols where possible.
* Capture compiler/linker flags; normalize paths; include feature flags default state.
* **During analysis**
* Static: slice the call graph to the *shortest* source→sink chain; attach type-state facts (e.g., “validated length”).
* Deps: map CVEs to precise symbol/ABI surfaces (not just package names).
* Backports: require explicit evidence (patch IDs, symbol presence) before downgrading severity.
* **During runtime (optional but strong)**
* eBPF trace to confirm edges observed; store hashes of kprobes/uprobes programs and sampling window.
* **During decisioning**
* Apply merge policy (vendor VEX, distro notes, internal tests) deterministically; hash the policy.
* Emit one DSSE/attestation per verdict; include replay manifest.
### UI that wont overwhelm
* **Default card**: Verdict + “Why?” (one-line chain) + “Replay” button.
* **Expand**: shows the 510 edge subgraph, conditions, and signed envelope.
* **Compare builds**: side-by-side proof deltas (edges added/removed, policy change, backport flip).
### Operating modes
* **Strict** (prod): Unknowns → fail-closed; proofs required for Not Affected.
* **Lenient** (dev): Unknowns tolerated; proofs optional but encouraged; allow “Under-Constrained”.
### What to measure
* Proof generation rate, median proof size (KB), replay success %, proof dedup ratio, and “unknowns” burn-down.
If you want, I can turn this into a ready-to-ship spec for StellaOps (attestation schema, JSON examples, API routes, and a tiny .NET verifier).

86
docs/product-advisories/archived/2025-12-26-superseded/26-Dec-2026 - Smart‑Diff as a Core Evidence Primitive.md Normal file
View File

@@ -0,0 +1,86 @@
Heres a crisp idea you can put to work right away: **treat SBOM diffs as a firstclass, signed evidence object**—not just “what components changed,” but also **VEX claim deltas** and **attestation (intoto/DSSE) deltas**. This makes vulnerability verdicts **deterministically replayable** and **auditready** across release gates.
### Why this matters (plain speak)
* **Less noise, faster go/nogo:** Only retriage what truly changed (package, reachability, config, or vendor stance), not the whole universe.
* **Deterministic audits:** Same inputs → same verdict. Auditors can replay checks exactly.
* **Tighter release gates:** Policies evaluate the *delta verdict*, not raw scans.
### Evidence model (minimal but complete)
* **Subject:** OCI digest of image/artifact.
* **Baseline:** SBOMG (graph hash), VEX set hash, policy + rules hash, feed snapshots (CVE JSON digests), toolchain + config hashes.
* **Delta:**
* `components_added/removed/updated` (with semver + source/distro origin)
* `reachability_delta` (edges added/removed in call/file/path graph)
* `settings_delta` (flags, env, CAPs, eBPF signals)
* `vex_delta` (perCVE claim transitions: *affected → not_affected → fixed*, with reason codes)
* `attestation_delta` (buildprovenance step or signer changes)
* **Verdict:** Signed “delta verdict” (allow/block/risk_budget_consume) with rationale pointers into the deltas.
* **Provenance:** DSSE envelope, intoto link to baseline + new inputs.
### Deterministic replay contract
Pin and record:
* Feed snapshots (CVE/VEX advisories) + hashes
* Scanner versions + rule packs + lattice/policy version
* SBOM generator version + mode (CycloneDX 1.6 / SPDX 3.0.1)
* Reachability engine settings (language analyzers, eBPF taps)
* Merge semantics ID (see below)
Replayer rehydrates these **exact** inputs and must reproduce the same verdict bitforbit.
### Merge semantics (stop “vendor > distro > internal” naïveté)
Define a policycontrolled lattice for claims, e.g.:
* **Orderings:** `exploit_observed > affected > under_investigation > fixed > not_affected`
* **Source weights:** vendor, distro, internal SCA, runtime sensor, pentest
* **Conflict rules:** tiebreaks, quorum, freshness windows, required evidence hooks (e.g., “not_affected because feature flag X=off, proven by config attestation Y”)
### Where it lives in the product
* **UI:** “Diff & Verdict” panel on each PR/build → shows SBOM/VEX/attestation deltas and the signed delta verdict; oneclick export of the DSSE envelope.
* **API/Artifact:** Publish as an **OCIattached attestation** (`application/vnd.stella.delta-verdict+json`) alongside SBOM + VEX.
* **Pipelines:** Release gate consumes only the delta verdict (fast path); full scan can run asynchronously for deep telemetry.
### Minimal schema sketch (JSON)
```json
{
"subject": {"ociDigest": "sha256:..."},
"inputs": {
"feeds": [{"type":"cve","digest":"sha256:..."},{"type":"vex","digest":"sha256:..."}],
"tools": {"sbomer":"1.6.3","reach":"0.9.0","policy":"lattice-2025.12"},
"baseline": {"sbomG":"sha256:...","vexSet":"sha256:..."}
},
"delta": {
"components": {"added":[...],"removed":[...],"updated":[...]},
"reachability": {"edgesAdded":[...],"edgesRemoved":[...]},
"settings": {"changed":[...]},
"vex": [{"cve":"CVE-2025-1234","from":"affected","to":"not_affected","reason":"config_flag_off","evidenceRef":"att#cfg-42"}],
"attestations": {"changed":[...]}
},
"verdict": {"decision":"allow","riskBudgetUsed":2,"policyId":"lattice-2025.12","explanationRefs":["vex[0]","reachability.edgesRemoved[3]"]},
"signing": {"dsse":"...","signer":"stella-authority"}
}
```
### Rollout checklist (StellaOps framing)
* **Sbomer:** emit **graphhash** (stable canonicalization) and diff vs previous SBOMG.
* **Vexer:** compute VEX claim deltas + reason codes; apply lattice merge; expose `vexDelta[]`.
* **Attestor:** snapshot feed digests, tool/rule versions, and config; produce DSSE bundle.
* **Policy Engine:** evaluate deltas → produce **delta verdict** with strict replay semantics.
* **Router/Timeline:** store delta verdicts as auditable objects; enable “replay build N” button.
* **CLI/CI:** `stella delta-verify --subject <digest> --envelope delta.json.dsse` → must return identical verdict.
### Guardrails
* Canonicalize and sort everything before hashing.
* Record unknowns explicitly and let policy act on them (e.g., “fail if unknowns > N in prod”).
* No network during replay except to fetch pinned digests.
If you want, I can draft the precise CycloneDX extension fields + an OCI media type registration, plus .NET 10 interfaces for Sbomer/Vexer/Attestor to emit/consume this today.

79
docs/product-advisories/archived/2025-12-26-superseded/README.md Normal file
View File

@@ -0,0 +1,79 @@
# Archived Superseded Advisories
**Archived:** 2025-12-26
**Reason:** Concepts already implemented or covered by existing sprints
## Advisory Status
These advisories described features that are **already substantially implemented** in the codebase or covered by existing sprint files.
| Advisory | Status | Superseded By |
|----------|--------|---------------|
| `25-Dec-2025 - Implementing DiffAware Release Gates.md` | SUPERSEDED | SPRINT_20251226_001_BE through 006_DOCS |
| `26-Dec-2026 - DiffAware Releases and Auditable Exceptions.md` | SUPERSEDED | SPRINT_20251226_003_BE_exception_approval.md |
| `26-Dec-2026 - SmartDiff as a Core Evidence Primitive.md` | SUPERSEDED | Existing DeltaVerdict library |
| `26-Dec-2026 - Reachability as Cryptographic Proof.md` | SUPERSEDED | Existing ProofChain library + SPRINT_007/009/010/011 |
## Existing Implementation
The following components already implement the advisory concepts:
### DeltaVerdict & DeltaComputer
- `src/Policy/__Libraries/StellaOps.Policy/Deltas/DeltaVerdict.cs`
- `src/Policy/__Libraries/StellaOps.Policy/Deltas/DeltaComputer.cs`
- `src/__Libraries/StellaOps.DeltaVerdict/` (complete library)
### Exception Management
- `src/Policy/__Libraries/StellaOps.Policy.Storage.Postgres/Models/ExceptionEntity.cs`
- `src/Policy/StellaOps.Policy.Engine/Adapters/ExceptionAdapter.cs`
- `src/Policy/__Libraries/StellaOps.Policy.Exceptions/` (complete library)
### ProofChain & Reachability Proofs
- `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/` (complete library):
- `Statements/ReachabilityWitnessStatement.cs` - Entry→sink proof chains
- `Statements/ReachabilitySubgraphStatement.cs` - Minimal subgraph attestation
- `Statements/ProofSpineStatement.cs` - Merkle-aggregated proof bundles
- `Predicates/ReachabilitySubgraphPredicate.cs` - Subgraph predicate
- `Identifiers/ContentAddressedIdGenerator.cs` - Content-addressed IDs
- `Merkle/DeterministicMerkleTreeBuilder.cs` - Merkle tree construction
- `Signing/ProofChainSigner.cs` - DSSE signing
- `Verification/VerificationPipeline.cs` - Proof verification
- `src/__Libraries/StellaOps.Replay.Core/ReplayManifest.cs` - Replay manifests
### Covering Sprints
- `docs/implplan/SPRINT_20251226_001_BE_cicd_gate_integration.md` - Gate endpoints, CI/CD
- `docs/implplan/SPRINT_20251226_002_BE_budget_enforcement.md` - Risk budget automation
- `docs/implplan/SPRINT_20251226_003_BE_exception_approval.md` - Exception workflows (21 tasks)
- `docs/implplan/SPRINT_20251226_004_FE_risk_dashboard.md` - Side-by-side UI
- `docs/implplan/SPRINT_20251226_005_SCANNER_reachability_extractors.md` - Language extractors
- `docs/implplan/SPRINT_20251226_006_DOCS_advisory_consolidation.md` - Documentation
- `docs/implplan/SPRINT_20251226_007_BE_determinism_gaps.md` - Determinism gaps, metrics (25 tasks)
- `docs/implplan/SPRINT_20251226_009_SCANNER_funcproof.md` - FuncProof generation (18 tasks)
- `docs/implplan/SPRINT_20251226_010_SIGNALS_runtime_stack.md` - eBPF stack capture (17 tasks)
- `docs/implplan/SPRINT_20251226_011_BE_auto_vex_downgrade.md` - Auto-VEX from runtime (16 tasks)
## Remaining Gaps Added to Sprints
Minor gaps from these advisories were added to existing sprints:
**Added to SPRINT_20251226_003_BE_exception_approval.md:**
- EXCEPT-16: Auto-revalidation job
- EXCEPT-17: Re-review gate flip on failure
- EXCEPT-18: Exception inheritance (repo→image→env)
- EXCEPT-19: Conflict surfacing for shadowed exceptions
- EXCEPT-20: OCI-attached exception attestation
- EXCEPT-21: CLI export command
**Added to SPRINT_20251226_007_BE_determinism_gaps.md:**
- DET-GAP-21: Proof generation rate metric
- DET-GAP-22: Median proof size metric
- DET-GAP-23: Replay success rate metric
- DET-GAP-24: Proof dedup ratio metric
- DET-GAP-25: "Unknowns" burn-down tracking
## Cross-References
If you arrived here via a broken link, see:
- `docs/implplan/SPRINT_20251226_*.md` for implementation tasks
- `src/Policy/__Libraries/StellaOps.Policy/Deltas/` for delta computation
- `src/__Libraries/StellaOps.DeltaVerdict/` for verdict models