stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

audit, advisories and doctors/setup work

Browse Source
This commit is contained in:
master
2026-01-13 18:53:39 +02:00
parent 9ca7cb183e
commit d7be6ba34b
811 changed files with 54242 additions and 4056 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/examples/binary-diff/sample-outputs/attestation.dsse.json
View File

@@ -6,12 +6,5 @@
"keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
"sig": "MEUCIQDKZokqnCjrRtw5EXP14JvsBwFDRPfCp9K0UoOlWGdlDQIgSNpOGPqKNLv5MNZLYc5iE7q5b3wW6K0cDpjNxBxCWdU="
}
],
"_note": "This is a sample DSSE envelope for documentation purposes. The payload is base64-encoded and contains an in-toto statement with a BinaryDiffV1 predicate. In production, the signature would be cryptographically valid.",
"_rekorMetadata": {
"logIndex": 12345678,
"entryUuid": "24296fb24b8ad77aa3e6b0d1b6e0e3a0c9f8d7e6b5a4c3d2e1f0a9b8c7d6e5f4",
"integratedTime": "2026-01-13T12:00:05Z",
"logUrl": "https://rekor.sigstore.dev"
}
]
}

34
docs/examples/binary-diff/sample-outputs/diff-table.txt
View File

@@ -1,27 +1,13 @@
Binary Diff: docker://registry.example.com/app:1.0.0 -> docker://registry.example.com/app:1.0.1
Binary Diff: docker://registry.example.com/myapp:1.0.0 -> docker://registry.example.com/myapp:1.0.1
Platform: linux/amd64
Analysis Mode: ELF Section Hashes
Analyzed Sections: .text, .rodata, .data, .symtab, .dynsym
Analysis Mode: ELF section hashes
PATH CHANGE VERDICT CONFIDENCE SECTIONS CHANGED
--------------------------------------------------------------------------------------------------
/usr/lib/x86_64-linux-gnu/libssl.so.3 modified patched 0.95 .text, .rodata
/usr/lib/x86_64-linux-gnu/libcrypto.so.3 modified patched 0.92 .text
/usr/bin/openssl modified unknown 0.75 .text, .data, .symtab
/lib/x86_64-linux-gnu/libc.so.6 unchanged - - -
/lib/x86_64-linux-gnu/libpthread.so.0 unchanged - - -
/usr/lib/x86_64-linux-gnu/libz.so.1 unchanged - - -
/app/bin/myapp modified vanilla 0.98 .text, .rodata, .data
PATH CHANGE VERDICT CONFIDENCE SECTIONS CHANGED
-------------------------- -------- ------- ---------- ----------------
/app/bin/myapp modified unknown 0.65 .rodata, .text
/usr/lib/libcrypto.so.3 modified unknown 0.70 .text
/usr/lib/libssl.so.3 modified unknown 0.75 .rodata, .text
Summary
-------
Total binaries analyzed: 156
Modified: 4
Unchanged: 152
Verdicts:
Patched: 2 (high confidence backport detected)
Vanilla: 1 (standard update, no backport evidence)
Unknown: 1 (insufficient evidence for classification)
Analysis completed in 12.4s
Summary: 7 binaries analyzed, 3 modified, 4 unchanged
Added: 0, Removed: 0
Verdicts: unknown: 3, vanilla: 4

292
docs/examples/binary-diff/sample-outputs/diff.json
View File

@@ -1,179 +1,173 @@
{
"schemaVersion": "1.0.0",
"base": {
"reference": "docker://registry.example.com/app:1.0.0",
"digest": "sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
"manifestDigest": "sha256:111222333444555666777888999000aaabbbcccdddeeefff000111222333444555"
},
"target": {
"reference": "docker://registry.example.com/app:1.0.1",
"digest": "sha256:def456abc789012345678901234567890123456789012345678901234567efgh",
"manifestDigest": "sha256:666777888999000aaabbbcccdddeeefff000111222333444555666777888999000"
},
"platform": {
"os": "linux",
"architecture": "amd64"
},
"analysisMode": "elf",
"timestamp": "2026-01-13T12:00:00.000000Z",
"base": {
"digest": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"reference": "docker://registry.example.com/myapp:1.0.0"
},
"findings": [
{
"path": "/usr/lib/x86_64-linux-gnu/libssl.so.3",
"changeType": "modified",
"binaryFormat": "elf",
"layerDigest": "sha256:aaa111bbb222ccc333ddd444eee555fff666777888999000aaabbbcccdddeeef",
"baseHashes": {
"buildId": "abc123def456789012345678",
"fileHash": "1111111111111111111111111111111111111111111111111111111111111111",
"fileHash": "1212121212121212121212121212121212121212121212121212121212121212",
"sections": {
".text": {
"sha256": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"size": 524288,
"offset": 4096
},
".rodata": {
"sha256": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
"size": 131072,
"offset": 528384
"sha256": "3434343434343434343434343434343434343434343434343434343434343434",
"size": 4096
},
".text": {
"sha256": "5656565656565656565656565656565656565656565656565656565656565656",
"size": 65536
}
}
},
"binaryFormat": "elf",
"changeType": "modified",
"confidence": 0.65,
"layerDigest": "sha256:5555555555555555555555555555555555555555555555555555555555555555",
"path": "/app/bin/myapp",
"sectionDeltas": [
{
"baseSha256": "3434343434343434343434343434343434343434343434343434343434343434",
"section": ".rodata",
"sizeDelta": 64,
"status": "modified",
"targetSha256": "9090909090909090909090909090909090909090909090909090909090909090"
},
{
"baseSha256": "5656565656565656565656565656565656565656565656565656565656565656",
"section": ".text",
"sizeDelta": 256,
"status": "modified",
"targetSha256": "abababababababababababababababababababababababababababababababab"
}
],
"targetHashes": {
"buildId": "def789abc012345678901234",
"fileHash": "2222222222222222222222222222222222222222222222222222222222222222",
"fileHash": "7878787878787878787878787878787878787878787878787878787878787878",
"sections": {
".text": {
"sha256": "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
"size": 524544,
"offset": 4096
},
".rodata": {
"sha256": "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd",
"size": 131200,
"offset": 528640
"sha256": "9090909090909090909090909090909090909090909090909090909090909090",
"size": 4160
},
".text": {
"sha256": "abababababababababababababababababababababababababababababababab",
"size": 65792
}
}
},
"sectionDeltas": [
{
"section": ".text",
"status": "modified",
"baseSha256": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"targetSha256": "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
"sizeDelta": 256
},
{
"section": ".rodata",
"status": "modified",
"baseSha256": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
"targetSha256": "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd",
"sizeDelta": 128
},
{
"section": ".data",
"status": "identical",
"baseSha256": "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
"targetSha256": "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
"sizeDelta": 0
},
{
"section": ".symtab",
"status": "identical",
"baseSha256": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
"targetSha256": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
"sizeDelta": 0
}
],
"confidence": 0.95,
"verdict": "patched"
},
{
"path": "/usr/lib/x86_64-linux-gnu/libcrypto.so.3",
"changeType": "modified",
"binaryFormat": "elf",
"layerDigest": "sha256:aaa111bbb222ccc333ddd444eee555fff666777888999000aaabbbcccdddeeef",
"sectionDeltas": [
{
"section": ".text",
"status": "modified",
"sizeDelta": 1024
},
{
"section": ".rodata",
"status": "identical",
"sizeDelta": 0
}
],
"confidence": 0.92,
"verdict": "patched"
},
{
"path": "/usr/bin/openssl",
"changeType": "modified",
"binaryFormat": "elf",
"sectionDeltas": [
{
"section": ".text",
"status": "modified",
"sizeDelta": 512
},
{
"section": ".data",
"status": "modified",
"sizeDelta": 64
},
{
"section": ".symtab",
"status": "modified",
"sizeDelta": 128
}
],
"confidence": 0.75,
"verdict": "unknown"
},
{
"path": "/app/bin/myapp",
"changeType": "modified",
"baseHashes": {
"fileHash": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"sections": {
".rodata": {
"sha256": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
"size": 120000
},
".text": {
"sha256": "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
"size": 600000
}
}
},
"binaryFormat": "elf",
"changeType": "modified",
"confidence": 0.7,
"layerDigest": "sha256:4444444444444444444444444444444444444444444444444444444444444444",
"path": "/usr/lib/libcrypto.so.3",
"sectionDeltas": [
{
"baseSha256": "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
"section": ".text",
"sizeDelta": 512,
"status": "modified",
"sizeDelta": 2048
},
{
"section": ".rodata",
"status": "modified",
"sizeDelta": 512
},
{
"section": ".data",
"status": "modified",
"sizeDelta": 128
"targetSha256": "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"
}
],
"confidence": 0.98,
"verdict": "vanilla"
"targetHashes": {
"fileHash": "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd",
"sections": {
".rodata": {
"sha256": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
"size": 120000
},
".text": {
"sha256": "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
"size": 600512
}
}
},
"verdict": "unknown"
},
{
"baseHashes": {
"fileHash": "4444444444444444444444444444444444444444444444444444444444444444",
"sections": {
".rodata": {
"sha256": "5555555555555555555555555555555555555555555555555555555555555555",
"size": 131072
},
".text": {
"sha256": "6666666666666666666666666666666666666666666666666666666666666666",
"size": 524288
}
}
},
"binaryFormat": "elf",
"changeType": "modified",
"confidence": 0.75,
"layerDigest": "sha256:3333333333333333333333333333333333333333333333333333333333333333",
"path": "/usr/lib/libssl.so.3",
"sectionDeltas": [
{
"baseSha256": "5555555555555555555555555555555555555555555555555555555555555555",
"section": ".rodata",
"sizeDelta": 128,
"status": "modified",
"targetSha256": "8888888888888888888888888888888888888888888888888888888888888888"
},
{
"baseSha256": "6666666666666666666666666666666666666666666666666666666666666666",
"section": ".text",
"sizeDelta": 256,
"status": "modified",
"targetSha256": "9999999999999999999999999999999999999999999999999999999999999999"
}
],
"targetHashes": {
"fileHash": "7777777777777777777777777777777777777777777777777777777777777777",
"sections": {
".rodata": {
"sha256": "8888888888888888888888888888888888888888888888888888888888888888",
"size": 131200
},
".text": {
"sha256": "9999999999999999999999999999999999999999999999999999999999999999",
"size": 524544
}
}
},
"verdict": "unknown"
}
],
"summary": {
"totalBinaries": 156,
"modified": 4,
"unchanged": 152,
"added": 0,
"removed": 0,
"verdicts": {
"patched": 2,
"vanilla": 1,
"unknown": 1,
"incompatible": 0
},
"sectionsAnalyzed": [".text", ".rodata", ".data", ".symtab", ".dynsym"],
"analysisDurationMs": 12400
"platform": {
"architecture": "amd64",
"os": "linux"
},
"metadata": {
"toolVersion": "1.0.0",
"analysisTimestamp": "2026-01-13T12:00:00.000000Z",
"configDigest": "sha256:config123456789abcdef0123456789abcdef0123456789abcdef0123456789ab"
}
"schemaVersion": "1.0.0",
"summary": {
"added": 0,
"modified": 3,
"removed": 0,
"totalBinaries": 7,
"unchanged": 4,
"verdicts": {
"unknown": 3,
"vanilla": 4
}
},
"target": {
"digest": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
"reference": "docker://registry.example.com/myapp:1.0.1"
},
"timestamp": "2026-01-13T12:00:00+00:00"
}