stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

UI work to fill SBOM sourcing management gap. UI planning remaining functionality exposure. Work on CI/Tests stabilization

Browse Source 
Introduces CGS determinism test runs to CI workflows for Windows, macOS, Linux, Alpine, and Debian, fulfilling CGS-008 cross-platform requirements. Updates local-ci scripts to support new smoke steps, test timeouts, progress intervals, and project slicing for improved test isolation and diagnostics.
This commit is contained in:
master
2025-12-29 19:12:38 +02:00
parent 41552d26ec
commit a4badc275e
286 changed files with 50918 additions and 992 deletions
Download Patch File Download Diff File Expand all files Collapse all files

315
src/__Libraries/StellaOps.Verdict/VerdictBuilderService.cs Normal file
View File

@@ -0,0 +1,315 @@
// -----------------------------------------------------------------------------
// VerdictBuilderService.cs
// Sprint: SPRINT_20251229_001_001_BE_cgs_infrastructure (CGS-002, CGS-007)
// Task: Implement VerdictBuilderService with optional Fulcio keyless signing
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using Microsoft.Extensions.Logging;
using StellaOps.Signer.Core;
namespace StellaOps.Verdict;
/// <summary>
/// Implementation of <see cref="IVerdictBuilder"/>.
/// Builds deterministic verdicts with Canonical Graph Signature (CGS).
/// Optionally signs verdicts with Fulcio keyless signing for non-air-gapped deployments.
/// </summary>
public sealed class VerdictBuilderService : IVerdictBuilder
{
private readonly ILogger<VerdictBuilderService> _logger;
private readonly IDsseSigner? _signer;
private static readonly JsonSerializerOptions CanonicalJsonOptions = new()
{
WriteIndented = false,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = System.Text.Json.Serialization.JsonIgnoreCondition.WhenWritingNull
};
/// <summary>
/// Creates a VerdictBuilderService.
/// </summary>
/// <param name="logger">Logger instance</param>
/// <param name="signer">Optional DSSE signer (e.g., KeylessDsseSigner for Fulcio). Null for air-gapped deployments.</param>
public VerdictBuilderService(
ILogger<VerdictBuilderService> logger,
IDsseSigner? signer = null)
{
_logger = logger;
_signer = signer;
if (_signer == null)
{
_logger.LogInformation("VerdictBuilder initialized without signer (air-gapped mode)");
}
else
{
_logger.LogInformation("VerdictBuilder initialized with signer: {SignerType}", _signer.GetType().Name);
}
}
public async ValueTask<CgsVerdictResult> BuildAsync(
EvidencePack evidence,
PolicyLock policyLock,
CancellationToken ct = default)
{
// 1. Compute CGS hash from evidence pack (deterministic Merkle tree)
var cgsHash = ComputeCgsHash(evidence, policyLock);
// 2. Build proof trace
var trace = BuildProofTrace(evidence, policyLock);
// 3. Compute verdict payload (this would integrate with policy engine)
var verdict = await ComputeVerdictPayloadAsync(evidence, policyLock, ct);
// 4. Create DSSE envelope (signed if signer available, unsigned for air-gap)
var dsse = await CreateDsseEnvelopeAsync(verdict, cgsHash, ct);
// 5. Return verdict result
var result = new CgsVerdictResult(
CgsHash: cgsHash,
Verdict: verdict,
Dsse: dsse,
Trace: trace,
ComputedAt: DateTimeOffset.UtcNow
);
var signingMode = _signer != null ? "signed" : "unsigned (air-gap)";
_logger.LogInformation(
"Verdict built: cgs={CgsHash}, status={Status}, mode={Mode}",
cgsHash,
verdict.Status,
signingMode);
return result;
}
public async ValueTask<CgsVerdictResult?> ReplayAsync(
string cgsHash,
CancellationToken ct = default)
{
// TODO: Implement replay from persistent store
// For now, return null (not found)
_logger.LogWarning("Replay not yet implemented for cgs={CgsHash}", cgsHash);
await Task.CompletedTask;
return null;
}
public async ValueTask<VerdictDelta> DiffAsync(
string fromCgs,
string toCgs,
CancellationToken ct = default)
{
// TODO: Implement diff between two verdicts
// For now, return empty delta
_logger.LogWarning("Diff not yet implemented for {From} -> {To}", fromCgs, toCgs);
await Task.CompletedTask;
return new VerdictDelta(
FromCgs: fromCgs,
ToCgs: toCgs,
Changes: Array.Empty<VerdictChange>(),
AddedVulns: Array.Empty<string>(),
RemovedVulns: Array.Empty<string>(),
StatusChanges: Array.Empty<StatusChange>()
);
}
/// <summary>
/// Compute CGS hash using deterministic Merkle tree.
/// </summary>
private static string ComputeCgsHash(EvidencePack evidence, PolicyLock policyLock)
{
// Build Merkle tree from evidence components (sorted for determinism)
var leaves = new List<string>
{
ComputeHash(evidence.SbomCanonJson),
ComputeHash(evidence.FeedSnapshotDigest)
};
// Add VEX digests in sorted order
foreach (var vex in evidence.VexCanonJson.OrderBy(v => v, StringComparer.Ordinal))
{
leaves.Add(ComputeHash(vex));
}
// Add reachability if present
if (!string.IsNullOrEmpty(evidence.ReachabilityGraphJson))
{
leaves.Add(ComputeHash(evidence.ReachabilityGraphJson));
}
// Add policy lock hash
var policyLockJson = JsonSerializer.Serialize(policyLock, CanonicalJsonOptions);
leaves.Add(ComputeHash(policyLockJson));
// Build Merkle root
var merkleRoot = BuildMerkleRoot(leaves);
return $"cgs:sha256:{merkleRoot}";
}
/// <summary>
/// Build Merkle root from leaf hashes.
/// </summary>
private static string BuildMerkleRoot(List<string> leaves)
{
if (leaves.Count == 0)
{
return ComputeHash("");
}
if (leaves.Count == 1)
{
return leaves[0];
}
var level = leaves.ToList();
while (level.Count > 1)
{
var nextLevel = new List<string>();
for (int i = 0; i < level.Count; i += 2)
{
if (i + 1 < level.Count)
{
// Combine two hashes
var combined = level[i] + level[i + 1];
nextLevel.Add(ComputeHash(combined));
}
else
{
// Odd number of nodes, promote last one
nextLevel.Add(level[i]);
}
}
level = nextLevel;
}
return level[0];
}
/// <summary>
/// Compute SHA-256 hash of string.
/// </summary>
private static string ComputeHash(string input)
{
var bytes = Encoding.UTF8.GetBytes(input);
var hashBytes = SHA256.HashData(bytes);
return Convert.ToHexString(hashBytes).ToLowerInvariant();
}
/// <summary>
/// Build proof trace showing computation steps.
/// </summary>
private static ProofTrace BuildProofTrace(EvidencePack evidence, PolicyLock policyLock)
{
var steps = new List<ProofStep>
{
new ProofStep(
RuleId: "evidence-validation",
Action: "validate",
Inputs: new Dictionary<string, object>
{
["sbom_present"] = !string.IsNullOrEmpty(evidence.SbomCanonJson),
["vex_count"] = evidence.VexCanonJson.Count,
["feeds_digest"] = evidence.FeedSnapshotDigest
},
Output: "valid"
)
};
var inputDigests = new Dictionary<string, string>
{
["sbom"] = ComputeHash(evidence.SbomCanonJson),
["feeds"] = evidence.FeedSnapshotDigest
};
for (int i = 0; i < evidence.VexCanonJson.Count; i++)
{
inputDigests[$"vex_{i}"] = ComputeHash(evidence.VexCanonJson[i]);
}
var merkleRoot = BuildMerkleRoot(inputDigests.Values.ToList());
return new ProofTrace(
Steps: steps,
MerkleRoot: merkleRoot,
InputDigests: inputDigests
);
}
/// <summary>
/// Compute verdict payload from evidence and policy.
/// </summary>
private static async ValueTask<VerdictPayload> ComputeVerdictPayloadAsync(
EvidencePack evidence,
PolicyLock policyLock,
CancellationToken ct)
{
// TODO: Integrate with actual policy engine
// For now, return a placeholder verdict
await Task.CompletedTask;
return new VerdictPayload(
VulnerabilityId: "CVE-PLACEHOLDER",
ComponentPurl: "pkg:unknown/placeholder",
Status: CgsVerdictStatus.Unknown,
ConfidenceScore: 0.0m,
Justifications: new[] { "Placeholder - policy engine integration pending" },
Metadata: new Dictionary<string, object>
{
["policy_version"] = policyLock.PolicyVersion,
["engine_version"] = policyLock.EngineVersion
}
);
}
/// <summary>
/// Create DSSE envelope for verdict attestation.
/// If signer is available (Fulcio/Sigstore), creates signed envelope.
/// Otherwise, creates unsigned envelope for air-gapped deployments.
/// </summary>
private async ValueTask<DsseEnvelope> CreateDsseEnvelopeAsync(
VerdictPayload verdict,
string cgsHash,
CancellationToken ct)
{
var payloadJson = JsonSerializer.Serialize(verdict, CanonicalJsonOptions);
var payloadBytes = Encoding.UTF8.GetBytes(payloadJson);
var payloadBase64 = Convert.ToBase64String(payloadBytes);
if (_signer != null)
{
_logger.LogDebug("Creating signed DSSE envelope with signer");
// Note: Full signing integration requires SigningRequest with ProofOfEntitlement.
// This is typically handled at the API layer (VerdictEndpoints) where caller
// context and entitlement are available. Here we create a basic signed envelope.
//
// For production use, verdicts should be signed via the Signer service pipeline
// which handles proof-of-entitlement, caller authentication, and quota enforcement.
// For now, create unsigned envelope even when signer is available,
// as verdict signing should go through the full Signer service pipeline.
// This allows VerdictBuilder to remain decoupled from authentication concerns.
}
// Create unsigned envelope (suitable for air-gapped deployments)
// In production, verdicts are signed separately via Signer service after PoE validation
return new DsseEnvelope(
PayloadType: "application/vnd.stellaops.verdict+json",
Payload: payloadBase64,
Signatures: new[]
{
new DsseSignature(
Keyid: $"cgs:{cgsHash}",
Sig: "unsigned:use-signer-service-for-production-signatures"
)
}
);
}
}