stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

more features checks. setup improvements

Browse Source
This commit is contained in:
master
2026-02-13 02:04:55 +02:00
parent 9911b7d73c
commit 9ca2de05df
675 changed files with 37550 additions and 1826 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
docs/features/checked/policy/evidence-requirement-validation-for-exceptions.md Normal file
View File

@@ -0,0 +1,38 @@
# Evidence Requirement Validation for Exceptions
## Module
Policy
## Status
IMPLEMENTED
## Description
Validates that exceptions include required evidence (attestation IDs, VEX notes, reachability proofs) before approval.
## Implementation Details
- **EvidenceRequirementValidator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs`
- Validates all required evidence is present for exception approval
- Checks: attestation IDs, VEX notes, reachability proofs, security review evidence
- Evidence freshness validation: age vs MaxAge threshold
- Trust score validation: minimum score for evidence acceptance
- DSSE signature verification: validates signed evidence
- Returns detailed validation result with per-requirement status
- **ExceptionObject**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionObject.cs` -- exception model with evidence requirements
- Required evidence types defined per exception scope
- Scopes: CVE-level, package-level, finding-level
- **EvidenceHook**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/EvidenceHook.cs` -- evidence hook configuration
- Mandatory flag, MaxAge, trust score threshold, DSSE requirement
- **ExceptionEvaluator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs` -- evaluates exception applicability with evidence checks
- **ExceptionApplication**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionApplication.cs` -- tracks exception applications with evidence snapshot
- **Exception Repositories**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Repositories/` -- persistence for exceptions and evidence
## E2E Test Plan
- [ ] Create exception requiring attestation ID; verify validation fails when attestation ID is missing
- [ ] Create exception requiring VEX note; provide valid VEX note; verify validation passes
- [ ] Create exception requiring reachability proof; provide proof; verify validation passes
- [ ] Validate evidence with expired MaxAge; verify freshness check fails
- [ ] Validate evidence with trust score below minimum; verify trust check fails
- [ ] Create exception with multiple required evidence types; provide all; verify validation passes
- [ ] Create exception with multiple required evidence types; omit one; verify validation fails with specific missing requirement
- [ ] Verify ExceptionApplication records the evidence snapshot at time of application
- [ ] Verify exception evaluator checks evidence requirements before determining applicability