old sprints work, new sprints for exposing functionality via cli, improve code_of_conduct and other agents instructions

2026-01-15 18:37:59 +02:00
parent c631bacee2
commit 88a85cdd92
208 changed files with 32271 additions and 2287 deletions
--- a/docs/modules/cli/guides/commands/evidence-bundle-format.md
+++ b/docs/modules/cli/guides/commands/evidence-bundle-format.md
@@ -54,6 +54,9 @@ evidence-{findingId}/
 ├── README.md                  # Human-readable documentation
 ├── sbom.cdx.json             # CycloneDX SBOM slice
 ├── reachability.json         # Reachability analysis data
+├── binary-diff.json          # Binary diff evidence (if available)
+├── binary-diff.dsse.json     # Signed binary diff envelope (if attested)
+├── delta-proof.json          # Semantic fingerprint diff summary (if available)
 ├── vex/
 │   ├── vendor.json           # Vendor VEX statements
 │   ├── nvd.json              # NVD VEX data
@@ -322,6 +325,80 @@ done
 | `.md` | `text/markdown` | Markdown documentation |
 | `.txt` | `text/plain` | Plain text |

+## Binary Diff Evidence Files
+
+> Sprint: SPRINT_20260112_009_SCANNER_binary_diff_bundle_export (BINDIFF-SCAN-003)
+
+Evidence bundles may include binary diff files when comparing binary artifacts across versions:
+
+### binary-diff.json
+
+Contains binary diff evidence comparing current and previous binary versions:
+
+```json
+{
+  "status": "available",
+  "diffType": "semantic",
+  "previousBinaryDigest": "sha256:abc123...",
+  "currentBinaryDigest": "sha256:def456...",
+  "similarityScore": 0.95,
+  "functionChangeCount": 3,
+  "securityChangeCount": 1,
+  "functionChanges": [
+    {
+      "functionName": "process_input",
+      "operation": "modified",
+      "previousHash": "sha256:...",
+      "currentHash": "sha256:..."
+    }
+  ],
+  "securityChanges": [
+    {
+      "changeType": "mitigation_added",
+      "description": "Stack canaries enabled",
+      "severity": "info"
+    }
+  ],
+  "semanticDiff": {
+    "previousFingerprint": "fp:abc...",
+    "currentFingerprint": "fp:def...",
+    "similarityScore": 0.92,
+    "semanticChanges": ["control_flow_modified"]
+  }
+}
+```
+
+### binary-diff.dsse.json
+
+DSSE-signed wrapper when binary diff evidence is attested:
+
+```json
+{
+  "payloadType": "application/vnd.stellaops.binary-diff+json",
+  "payload": { /* binary-diff.json content */ },
+  "attestationRef": {
+    "id": "attest-12345",
+    "rekorLogIndex": 123456789,
+    "bundleDigest": "sha256:..."
+  }
+}
+```
+
+### delta-proof.json
+
+Semantic fingerprint summary for quick verification:
+
+```json
+{
+  "previousFingerprint": "fp:abc...",
+  "currentFingerprint": "fp:def...",
+  "similarityScore": 0.92,
+  "semanticChanges": ["control_flow_modified", "data_flow_changed"],
+  "functionChangeCount": 3,
+  "securityChangeCount": 1
+}
+```
+
 ## See Also

 - [stella scan replay Command Reference](../cli/guides/commands/scan-replay.md)