old sprints work, new sprints for exposing functionality via cli, improve code_of_conduct and other agents instructions

2026-01-15 18:37:59 +02:00
parent c631bacee2
commit 88a85cdd92
208 changed files with 32271 additions and 2287 deletions
--- a/docs/api/findings-scoring.md
+++ b/docs/api/findings-scoring.md
@@ -112,6 +112,111 @@ Content-Type: application/json
 }
 ```

+### Attested-Reduction Mode (v1.1)
+
+When attested-reduction scoring is enabled on the policy, the response includes additional fields for cryptographic attestation metadata and reduction profile information.
+
+**Extended Response (200 OK) with Reduction Mode:**
+```json
+{
+  "findingId": "CVE-2024-1234@pkg:deb/debian/curl@7.64.0-4",
+  "score": 0,
+  "bucket": "Watchlist",
+  "inputs": { "rch": 0.00, "rts": 0.00, "bkp": 1.00, "xpl": 0.30, "src": 0.90, "mit": 1.00 },
+  "weights": { "rch": 0.30, "rts": 0.25, "bkp": 0.15, "xpl": 0.15, "src": 0.10, "mit": 0.10 },
+  "flags": ["anchored-vex", "vendor-na", "attested-reduction"],
+  "explanations": [
+    "Anchored VEX statement: not_affected - score reduced to 0"
+  ],
+  "caps": { "speculativeCap": false, "notAffectedCap": false, "runtimeFloor": false },
+  "policyDigest": "sha256:reduction123...",
+  "calculatedAt": "2026-01-15T14:30:00Z",
+  "cachedUntil": "2026-01-15T15:30:00Z",
+  "fromCache": false,
+  "reductionProfile": {
+    "enabled": true,
+    "mode": "aggressive",
+    "profileId": "attested-verified",
+    "maxReductionPercent": 100,
+    "requireVexAnchoring": true,
+    "requireRekorVerification": true
+  },
+  "hardFail": false,
+  "shortCircuitReason": "anchored_vex_not_affected",
+  "anchor": {
+    "anchored": true,
+    "envelopeDigest": "sha256:abc123def456...",
+    "predicateType": "https://stellaops.io/attestation/vex/v1",
+    "rekorLogIndex": 12345678,
+    "rekorEntryId": "24296fb24b8ad77a7e...",
+    "scope": "finding",
+    "verified": true,
+    "attestedAt": "2026-01-14T10:00:00Z"
+  }
+}
+```
+
+### Attested-Reduction Fields
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `reductionProfile` | object | Reduction profile configuration (when enabled) |
+| `reductionProfile.enabled` | boolean | Whether attested-reduction is active |
+| `reductionProfile.mode` | string | `"aggressive"` or `"conservative"` |
+| `reductionProfile.profileId` | string | Profile identifier for audit trail |
+| `reductionProfile.maxReductionPercent` | integer | Maximum score reduction allowed (0-100) |
+| `reductionProfile.requireVexAnchoring` | boolean | Whether VEX must be anchored to qualify |
+| `reductionProfile.requireRekorVerification` | boolean | Whether Rekor verification is required |
+| `hardFail` | boolean | `true` if anchored evidence confirms active exploitation |
+| `shortCircuitReason` | string | Reason for short-circuit (if score was short-circuited) |
+| `anchor` | object | Primary evidence anchor metadata (if available) |
+
+### Short-Circuit Reasons
+
+| Reason | Score Effect | Condition |
+|--------|--------------|-----------|
+| `anchored_vex_not_affected` | Score = 0 | Verified VEX not_affected/fixed attestation |
+| `anchored_affected_runtime_confirmed` | Score = 100 (hard fail) | Anchored VEX affected + anchored runtime confirms vulnerability |
+
+### Evidence Anchor Fields
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `anchor.anchored` | boolean | Whether evidence has cryptographic attestation |
+| `anchor.envelopeDigest` | string | DSSE envelope digest (sha256 hex) |
+| `anchor.predicateType` | string | Attestation predicate type URL |
+| `anchor.rekorLogIndex` | integer | Sigstore Rekor transparency log index |
+| `anchor.rekorEntryId` | string | Rekor entry UUID |
+| `anchor.scope` | string | Attestation scope (finding, package, image) |
+| `anchor.verified` | boolean | Whether attestation signature was verified |
+| `anchor.attestedAt` | string | ISO-8601 attestation timestamp |
+
+### Hard-Fail Response Example
+
+When anchored evidence confirms active exploitation:
+
+```json
+{
+  "findingId": "CVE-2024-9999@pkg:npm/critical@1.0.0",
+  "score": 100,
+  "bucket": "ActNow",
+  "flags": ["anchored-vex", "anchored-runtime", "hard-fail", "attested-reduction"],
+  "explanations": [
+    "Anchored VEX affected + runtime confirmed vulnerable path - hard fail"
+  ],
+  "hardFail": true,
+  "shortCircuitReason": "anchored_affected_runtime_confirmed",
+  "reductionProfile": {
+    "enabled": true,
+    "mode": "aggressive",
+    "profileId": "attested-verified",
+    "maxReductionPercent": 100,
+    "requireVexAnchoring": true,
+    "requireRekorVerification": true
+  }
+}
+```
+
 ### Score Buckets

 | Bucket | Score Range | Action |