stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
docs/features/checked/attestor/binarydiff-binary-sca-attestation.md Normal file
View File

@@ -0,0 +1,39 @@
# BinaryDiff/Binary SCA Attestation
## Module
Attestor
## Status
VERIFIED
## Description
Binary diff predicate builder with DSSE signing/verification, section-level diff models, schema validation, and integration with evidence bundle exporter.
## Implementation Details
- **Predicate Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs` (with `.Build`) -- constructs binary diff predicates from `BinaryDiffFinding` entries.
- **DSSE Signing/Verification**: `BinaryDiffDsseSigner.cs` signs predicates. `BinaryDiffDsseVerifier.cs` (with `.Helpers`) verifies signed envelopes.
- **Serialization**: `BinaryDiffPredicateSerializer.cs` (with `.Normalize`) -- deterministic normalization and serialization.
- **Schema Validation**: `BinaryDiffSchema.cs` (with `.SchemaJson`) -- embedded JSON schema. `BinaryDiffSchemaValidationResult.cs` -- validation output.
- **Section Models**: `BinaryDiffSectionModels.cs` -- ELF/PE section-level diff models. `BinaryDiffModels.cs` -- core models.
- **Evidence Bundle Integration**: Evidence packs (`src/Attestor/__Libraries/StellaOps.Attestor.EvidencePack/`) include binary diff attestations in export bundles. `ReleaseEvidencePackBuilder.cs` aggregates binary SCA evidence.
- **DI**: `ServiceCollectionExtensions.cs` -- registers builder, serializer, signer, verifier.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiff/` -- `BinaryDiffPredicateBuilderTests.cs`, `BinaryDiffPredicateSerializerTests.cs`, `BinaryDiffDsseSignerTests.cs`, `BinaryDiffSchemaValidationTests.cs`, `BinaryDiffTestData.cs`
## E2E Test Plan
- [ ] Build a predicate from `BinaryDiffFinding` entries representing patched and unpatched sections, sign it, and verify the DSSE envelope
- [ ] Validate the predicate against `BinaryDiffSchema` and verify it passes
- [ ] Include the signed binary diff attestation in a `ReleaseEvidencePackBuilder` export and verify it appears in the evidence pack manifest
- [ ] Serialize the predicate, modify a finding, re-serialize, and verify the normalized output differs
- [ ] Create findings with ELF section changes (.text, .plt, .got) and verify `BinaryDiffSectionModels` captures each section
- [ ] Verify DI registration via `ServiceCollectionExtensions` resolves all binary diff services correctly
- [ ] Tamper with the DSSE envelope and verify `BinaryDiffDsseVerifier` rejects it
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |