stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

audit, advisories and doctors/setup work

Browse Source
This commit is contained in:
master
2026-01-13 18:53:39 +02:00
parent 9ca7cb183e
commit d7be6ba34b
811 changed files with 54242 additions and 4056 deletions
Download Patch File Download Diff File Expand all files Collapse all files

307
docs/schemas/binarydiff-v1.schema.json
View File

@@ -2,343 +2,166 @@
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stellaops.io/schemas/binarydiff-v1.schema.json",
"title": "BinaryDiffV1",
"description": "In-toto predicate schema for binary-level diff attestations between container images",
"description": "In-toto predicate for binary-level diff attestations",
"type": "object",
"required": ["predicateType", "inputs", "findings", "metadata"],
"additionalProperties": false,
"required": ["predicateType", "subjects", "inputs", "findings", "metadata"],
"properties": {
"predicateType": {
"const": "stellaops.binarydiff.v1",
"description": "Predicate type identifier"
"const": "stellaops.binarydiff.v1"
},
"subjects": {
"type": "array",
"items": { "$ref": "#/$defs/BinaryDiffSubject" },
"minItems": 1
},
"inputs": {
"$ref": "#/$defs/BinaryDiffInputs",
"description": "Base and target image references"
"$ref": "#/$defs/BinaryDiffInputs"
},
"findings": {
"type": "array",
"items": {
"$ref": "#/$defs/BinaryDiffFinding"
},
"description": "Per-binary diff findings"
"items": { "$ref": "#/$defs/BinaryDiffFinding" }
},
"metadata": {
"$ref": "#/$defs/BinaryDiffMetadata",
"description": "Analysis metadata"
"$ref": "#/$defs/BinaryDiffMetadata"
}
},
"$defs": {
"BinaryDiffInputs": {
"BinaryDiffSubject": {
"type": "object",
"required": ["base", "target"],
"additionalProperties": false,
"required": ["name", "digest"],
"properties": {
"base": {
"$ref": "#/$defs/ImageReference",
"description": "Base image reference"
},
"target": {
"$ref": "#/$defs/ImageReference",
"description": "Target image reference"
}
}
},
"ImageReference": {
"type": "object",
"required": ["digest"],
"additionalProperties": false,
"properties": {
"reference": {
"name": {
"type": "string",
"description": "Full image reference (e.g., docker://repo/image:tag)",
"examples": ["docker://registry.example.com/app:1.0.0"]
"description": "Image reference (e.g., docker://repo/app@sha256:...)"
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Image digest in sha256:hex format"
},
"manifestDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Platform-specific manifest digest"
"type": "object",
"additionalProperties": { "type": "string" }
},
"platform": {
"$ref": "#/$defs/Platform"
}
}
},
"BinaryDiffInputs": {
"type": "object",
"required": ["base", "target"],
"properties": {
"base": { "$ref": "#/$defs/ImageReference" },
"target": { "$ref": "#/$defs/ImageReference" }
}
},
"ImageReference": {
"type": "object",
"required": ["digest"],
"properties": {
"reference": { "type": "string" },
"digest": { "type": "string" },
"manifestDigest": { "type": "string" },
"platform": { "$ref": "#/$defs/Platform" }
}
},
"Platform": {
"type": "object",
"required": ["os", "architecture"],
"additionalProperties": false,
"properties": {
"os": {
"type": "string",
"description": "Operating system (e.g., linux, windows)",
"examples": ["linux", "windows"]
},
"architecture": {
"type": "string",
"description": "CPU architecture (e.g., amd64, arm64)",
"examples": ["amd64", "arm64", "386"]
},
"variant": {
"type": "string",
"description": "Architecture variant (e.g., v8 for arm64)",
"examples": ["v7", "v8"]
}
"os": { "type": "string" },
"architecture": { "type": "string" },
"variant": { "type": "string" }
}
},
"BinaryDiffFinding": {
"type": "object",
"required": ["path", "changeType", "binaryFormat"],
"additionalProperties": false,
"properties": {
"path": {
"type": "string",
"description": "File path within the container filesystem",
"examples": ["/usr/lib/libssl.so.3", "/usr/bin/openssl"]
"description": "File path within the image filesystem"
},
"changeType": {
"type": "string",
"enum": ["added", "removed", "modified", "unchanged"],
"description": "Type of change detected"
"enum": ["added", "removed", "modified", "unchanged"]
},
"binaryFormat": {
"type": "string",
"enum": ["elf", "pe", "macho", "unknown"],
"description": "Binary format detected"
"enum": ["elf", "pe", "macho", "unknown"]
},
"layerDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Layer digest that introduced this file/change"
"description": "Layer that introduced this change"
},
"baseHashes": {
"$ref": "#/$defs/SectionHashSet",
"description": "Section hashes from base image binary"
"$ref": "#/$defs/SectionHashSet"
},
"targetHashes": {
"$ref": "#/$defs/SectionHashSet",
"description": "Section hashes from target image binary"
"$ref": "#/$defs/SectionHashSet"
},
"sectionDeltas": {
"type": "array",
"items": {
"$ref": "#/$defs/SectionDelta"
},
"description": "Per-section comparison results"
"items": { "$ref": "#/$defs/SectionDelta" }
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1,
"description": "Confidence score for verdict (0.0-1.0)"
"maximum": 1
},
"verdict": {
"type": "string",
"enum": ["patched", "vanilla", "unknown", "incompatible"],
"description": "Classification of the binary change"
"enum": ["patched", "vanilla", "unknown", "incompatible"]
}
}
},
"SectionHashSet": {
"type": "object",
"additionalProperties": false,
"properties": {
"buildId": {
"type": "string",
"pattern": "^[a-f0-9]+$",
"description": "GNU Build-ID from .note.gnu.build-id section"
},
"fileHash": {
"type": "string",
"pattern": "^[a-f0-9]{64}$",
"description": "SHA-256 hash of the entire file"
},
"extractorVersion": {
"type": "string",
"description": "Version of the section hash extractor"
},
"buildId": { "type": "string" },
"fileHash": { "type": "string" },
"sections": {
"type": "object",
"additionalProperties": {
"$ref": "#/$defs/SectionInfo"
},
"description": "Map of section name to section info"
}
}
}
},
"SectionInfo": {
"type": "object",
"required": ["sha256", "size"],
"additionalProperties": false,
"properties": {
"sha256": {
"type": "string",
"pattern": "^[a-f0-9]{64}$",
"description": "SHA-256 hash of section contents"
},
"blake3": {
"type": "string",
"pattern": "^[a-f0-9]{64}$",
"description": "Optional BLAKE3-256 hash of section contents"
},
"size": {
"type": "integer",
"minimum": 0,
"description": "Section size in bytes"
},
"offset": {
"type": "integer",
"minimum": 0,
"description": "Section offset in file"
},
"type": {
"type": "string",
"description": "ELF section type (e.g., SHT_PROGBITS)"
},
"flags": {
"type": "string",
"description": "ELF section flags (e.g., SHF_ALLOC | SHF_EXECINSTR)"
}
"sha256": { "type": "string" },
"blake3": { "type": "string" },
"size": { "type": "integer" }
}
},
"SectionDelta": {
"type": "object",
"required": ["section", "status"],
"additionalProperties": false,
"properties": {
"section": {
"type": "string",
"description": "Section name (e.g., .text, .rodata)",
"examples": [".text", ".rodata", ".data", ".symtab", ".dynsym"]
"description": "Section name (e.g., .text, .rodata)"
},
"status": {
"type": "string",
"enum": ["identical", "modified", "added", "removed"],
"description": "Section comparison status"
"enum": ["identical", "modified", "added", "removed"]
},
"baseSha256": {
"type": "string",
"pattern": "^[a-f0-9]{64}$",
"description": "SHA-256 of section in base binary"
},
"targetSha256": {
"type": "string",
"pattern": "^[a-f0-9]{64}$",
"description": "SHA-256 of section in target binary"
},
"sizeDelta": {
"type": "integer",
"description": "Size difference (target - base) in bytes"
}
"baseSha256": { "type": "string" },
"targetSha256": { "type": "string" },
"sizeDelta": { "type": "integer" }
}
},
"BinaryDiffMetadata": {
"type": "object",
"required": ["toolVersion", "analysisTimestamp"],
"additionalProperties": false,
"properties": {
"toolVersion": {
"type": "string",
"description": "Version of the binary diff tool",
"examples": ["1.0.0", "2026.01.0"]
},
"toolVersion": { "type": "string" },
"analysisTimestamp": {
"type": "string",
"format": "date-time",
"description": "UTC timestamp of analysis (ISO-8601)"
},
"configDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "SHA-256 of analysis configuration for reproducibility"
},
"totalBinaries": {
"type": "integer",
"minimum": 0,
"description": "Total number of binaries analyzed"
},
"modifiedBinaries": {
"type": "integer",
"minimum": 0,
"description": "Number of binaries with modifications"
"format": "date-time"
},
"configDigest": { "type": "string" },
"totalBinaries": { "type": "integer" },
"modifiedBinaries": { "type": "integer" },
"analyzedSections": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of section names analyzed",
"examples": [[".text", ".rodata", ".data", ".symtab", ".dynsym"]]
},
"hashAlgorithms": {
"type": "array",
"items": {
"type": "string",
"enum": ["sha256", "blake3"]
},
"description": "Hash algorithms used"
"items": { "type": "string" }
}
}
}
},
"examples": [
{
"predicateType": "stellaops.binarydiff.v1",
"inputs": {
"base": {
"reference": "docker://registry.example.com/app:1.0.0",
"digest": "sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
"platform": {
"os": "linux",
"architecture": "amd64"
}
},
"target": {
"reference": "docker://registry.example.com/app:1.0.1",
"digest": "sha256:def456abc789012345678901234567890123456789012345678901234567efgh",
"platform": {
"os": "linux",
"architecture": "amd64"
}
}
},
"findings": [
{
"path": "/usr/lib/libssl.so.3",
"changeType": "modified",
"binaryFormat": "elf",
"sectionDeltas": [
{
"section": ".text",
"status": "modified",
"baseSha256": "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef",
"targetSha256": "fedcba0987654321fedcba0987654321fedcba0987654321fedcba0987654321",
"sizeDelta": 256
},
{
"section": ".rodata",
"status": "identical",
"baseSha256": "abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890",
"targetSha256": "abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890",
"sizeDelta": 0
}
],
"confidence": 0.95,
"verdict": "patched"
}
],
"metadata": {
"toolVersion": "1.0.0",
"analysisTimestamp": "2026-01-13T12:00:00Z",
"totalBinaries": 156,
"modifiedBinaries": 3,
"analyzedSections": [".text", ".rodata", ".data", ".symtab", ".dynsym"],
"hashAlgorithms": ["sha256"]
}
}
]
}
}