stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

more features checks. setup improvements

Browse Source
This commit is contained in:
master
2026-02-13 02:04:55 +02:00
parent 9911b7d73c
commit 9ca2de05df
675 changed files with 37550 additions and 1826 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
docs/features/checked/concelier/vex-conflict-resolution.md Normal file
View File

@@ -0,0 +1,28 @@
# VEX conflict resolution (side-by-side merge with provenance)
## Module
Concelier
## Status
IMPLEMENTED
## Description
VEX conflict resolver and consensus engine merge statements from multiple sources with rationale models explaining merge outcomes.
## Implementation Details
- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/`
- **Key Classes**:
- `VexConflictResolver` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs`) - resolves conflicts between VEX statements from multiple sources with provenance-based precedence
- `VexConsumptionReporter` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs`) - reports VEX consumption outcomes and merge rationale
- `VexConsumptionPolicyLoader` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs`) - loads VEX consumption policies defining merge rules
- `VexConsumptionPolicyDefaults` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicy.cs`) - default merge policy configuration
- `VexConsumptionOptions` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs`) - options for VEX consumption behavior
- **Interfaces**: `IVexConflictResolver`, `IVexConsumptionReporter`, `IVexConsumptionPolicyLoader`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Submit two conflicting VEX statements (affected vs not_affected) for the same CVE+product and verify the resolver produces a merged outcome with rationale
- [ ] Verify provenance-based precedence: vendor VEX statement takes precedence over community source
- [ ] Verify `VexConsumptionReporter` emits a report explaining why one statement won over another
- [ ] Verify policy-based resolution: load a custom merge policy and confirm it changes the resolution outcome
- [ ] Verify side-by-side preservation: both original statements remain accessible after merge