notify doctors work, audit work, new product advisory sprints

2026-01-13 08:36:29 +02:00
parent b8868a5f13
commit 9ca7cb183e
343 changed files with 24492 additions and 3544 deletions
--- a/docs/examples/binary-diff/sample-outputs/attestation.dsse.json
+++ b/docs/examples/binary-diff/sample-outputs/attestation.dsse.json
@@ -0,0 +1,17 @@
+{
+  "payloadType": "stellaops.binarydiff.v1",
+  "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZG9ja2VyOi8vcmVnaXN0cnkuZXhhbXBsZS5jb20vYXBwQHNoYTI1NjpkZWY0NTZhYmM3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1NjdlZmdoIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImRlZjQ1NmFiYzc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2N2VmZ2gifX1dLCJwcmVkaWNhdGVUeXBlIjoic3RlbGxhb3BzLmJpbmFyeWRpZmYudjEiLCJwcmVkaWNhdGUiOnsiaW5wdXRzIjp7ImJhc2UiOnsiZGlnZXN0Ijoic2hhMjU2OmFiYzEyM2RlZjQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNGFiY2QifSwidGFyZ2V0Ijp7ImRpZ2VzdCI6InNoYTI1NjpkZWY0NTZhYmM3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1NjdlZmdoIn19LCJmaW5kaW5ncyI6W3sicGF0aCI6Ii91c3IvbGliL2xpYnNzbC5zby4zIiwiY2hhbmdlVHlwZSI6Im1vZGlmaWVkIiwidmVyZGljdCI6InBhdGNoZWQiLCJjb25maWRlbmNlIjowLjk1fV0sIm1ldGFkYXRhIjp7InRvb2xWZXJzaW9uIjoiMS4wLjAiLCJhbmFseXNpc1RpbWVzdGFtcCI6IjIwMjYtMDEtMTNUMTI6MDA6MDBaIn19fQ==",
+  "signatures": [
+    {
+      "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
+      "sig": "MEUCIQDKZokqnCjrRtw5EXP14JvsBwFDRPfCp9K0UoOlWGdlDQIgSNpOGPqKNLv5MNZLYc5iE7q5b3wW6K0cDpjNxBxCWdU="
+    }
+  ],
+  "_note": "This is a sample DSSE envelope for documentation purposes. The payload is base64-encoded and contains an in-toto statement with a BinaryDiffV1 predicate. In production, the signature would be cryptographically valid.",
+  "_rekorMetadata": {
+    "logIndex": 12345678,
+    "entryUuid": "24296fb24b8ad77aa3e6b0d1b6e0e3a0c9f8d7e6b5a4c3d2e1f0a9b8c7d6e5f4",
+    "integratedTime": "2026-01-13T12:00:05Z",
+    "logUrl": "https://rekor.sigstore.dev"
+  }
+}
--- a/docs/examples/binary-diff/sample-outputs/diff-table.txt
+++ b/docs/examples/binary-diff/sample-outputs/diff-table.txt
@@ -0,0 +1,27 @@
+Binary Diff: docker://registry.example.com/app:1.0.0 -> docker://registry.example.com/app:1.0.1
+Platform: linux/amd64
+Analysis Mode: ELF Section Hashes
+Analyzed Sections: .text, .rodata, .data, .symtab, .dynsym
+
+PATH                              CHANGE      VERDICT    CONFIDENCE  SECTIONS CHANGED
+--------------------------------------------------------------------------------------------------
+/usr/lib/x86_64-linux-gnu/libssl.so.3        modified    patched    0.95        .text, .rodata
+/usr/lib/x86_64-linux-gnu/libcrypto.so.3     modified    patched    0.92        .text
+/usr/bin/openssl                             modified    unknown    0.75        .text, .data, .symtab
+/lib/x86_64-linux-gnu/libc.so.6              unchanged   -          -           -
+/lib/x86_64-linux-gnu/libpthread.so.0        unchanged   -          -           -
+/usr/lib/x86_64-linux-gnu/libz.so.1          unchanged   -          -           -
+/app/bin/myapp                               modified    vanilla    0.98        .text, .rodata, .data
+
+Summary
+-------
+Total binaries analyzed: 156
+Modified: 4
+Unchanged: 152
+
+Verdicts:
+  Patched:  2 (high confidence backport detected)
+  Vanilla:  1 (standard update, no backport evidence)
+  Unknown:  1 (insufficient evidence for classification)
+
+Analysis completed in 12.4s
--- a/docs/examples/binary-diff/sample-outputs/diff.json
+++ b/docs/examples/binary-diff/sample-outputs/diff.json
@@ -0,0 +1,179 @@
+{
+  "schemaVersion": "1.0.0",
+  "base": {
+    "reference": "docker://registry.example.com/app:1.0.0",
+    "digest": "sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
+    "manifestDigest": "sha256:111222333444555666777888999000aaabbbcccdddeeefff000111222333444555"
+  },
+  "target": {
+    "reference": "docker://registry.example.com/app:1.0.1",
+    "digest": "sha256:def456abc789012345678901234567890123456789012345678901234567efgh",
+    "manifestDigest": "sha256:666777888999000aaabbbcccdddeeefff000111222333444555666777888999000"
+  },
+  "platform": {
+    "os": "linux",
+    "architecture": "amd64"
+  },
+  "analysisMode": "elf",
+  "timestamp": "2026-01-13T12:00:00.000000Z",
+  "findings": [
+    {
+      "path": "/usr/lib/x86_64-linux-gnu/libssl.so.3",
+      "changeType": "modified",
+      "binaryFormat": "elf",
+      "layerDigest": "sha256:aaa111bbb222ccc333ddd444eee555fff666777888999000aaabbbcccdddeeef",
+      "baseHashes": {
+        "buildId": "abc123def456789012345678",
+        "fileHash": "1111111111111111111111111111111111111111111111111111111111111111",
+        "sections": {
+          ".text": {
+            "sha256": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+            "size": 524288,
+            "offset": 4096
+          },
+          ".rodata": {
+            "sha256": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+            "size": 131072,
+            "offset": 528384
+          }
+        }
+      },
+      "targetHashes": {
+        "buildId": "def789abc012345678901234",
+        "fileHash": "2222222222222222222222222222222222222222222222222222222222222222",
+        "sections": {
+          ".text": {
+            "sha256": "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
+            "size": 524544,
+            "offset": 4096
+          },
+          ".rodata": {
+            "sha256": "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd",
+            "size": 131200,
+            "offset": 528640
+          }
+        }
+      },
+      "sectionDeltas": [
+        {
+          "section": ".text",
+          "status": "modified",
+          "baseSha256": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+          "targetSha256": "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
+          "sizeDelta": 256
+        },
+        {
+          "section": ".rodata",
+          "status": "modified",
+          "baseSha256": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+          "targetSha256": "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd",
+          "sizeDelta": 128
+        },
+        {
+          "section": ".data",
+          "status": "identical",
+          "baseSha256": "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
+          "targetSha256": "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
+          "sizeDelta": 0
+        },
+        {
+          "section": ".symtab",
+          "status": "identical",
+          "baseSha256": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+          "targetSha256": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+          "sizeDelta": 0
+        }
+      ],
+      "confidence": 0.95,
+      "verdict": "patched"
+    },
+    {
+      "path": "/usr/lib/x86_64-linux-gnu/libcrypto.so.3",
+      "changeType": "modified",
+      "binaryFormat": "elf",
+      "layerDigest": "sha256:aaa111bbb222ccc333ddd444eee555fff666777888999000aaabbbcccdddeeef",
+      "sectionDeltas": [
+        {
+          "section": ".text",
+          "status": "modified",
+          "sizeDelta": 1024
+        },
+        {
+          "section": ".rodata",
+          "status": "identical",
+          "sizeDelta": 0
+        }
+      ],
+      "confidence": 0.92,
+      "verdict": "patched"
+    },
+    {
+      "path": "/usr/bin/openssl",
+      "changeType": "modified",
+      "binaryFormat": "elf",
+      "sectionDeltas": [
+        {
+          "section": ".text",
+          "status": "modified",
+          "sizeDelta": 512
+        },
+        {
+          "section": ".data",
+          "status": "modified",
+          "sizeDelta": 64
+        },
+        {
+          "section": ".symtab",
+          "status": "modified",
+          "sizeDelta": 128
+        }
+      ],
+      "confidence": 0.75,
+      "verdict": "unknown"
+    },
+    {
+      "path": "/app/bin/myapp",
+      "changeType": "modified",
+      "binaryFormat": "elf",
+      "sectionDeltas": [
+        {
+          "section": ".text",
+          "status": "modified",
+          "sizeDelta": 2048
+        },
+        {
+          "section": ".rodata",
+          "status": "modified",
+          "sizeDelta": 512
+        },
+        {
+          "section": ".data",
+          "status": "modified",
+          "sizeDelta": 128
+        }
+      ],
+      "confidence": 0.98,
+      "verdict": "vanilla"
+    }
+  ],
+  "summary": {
+    "totalBinaries": 156,
+    "modified": 4,
+    "unchanged": 152,
+    "added": 0,
+    "removed": 0,
+    "verdicts": {
+      "patched": 2,
+      "vanilla": 1,
+      "unknown": 1,
+      "incompatible": 0
+    },
+    "sectionsAnalyzed": [".text", ".rodata", ".data", ".symtab", ".dynsym"],
+    "analysisDurationMs": 12400
+  },
+  "metadata": {
+    "toolVersion": "1.0.0",
+    "analysisTimestamp": "2026-01-13T12:00:00.000000Z",
+    "configDigest": "sha256:config123456789abcdef0123456789abcdef0123456789abcdef0123456789ab"
+  }
+}