stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
docs/features/checked/attestor/four-tier-backport-detection-system.md Normal file
View File

@@ -0,0 +1,45 @@
# Four-Tier Backport Detection System
## Module
Attestor
## Status
VERIFIED
## Description
A four-tier evidence collection system for backport detection: Tier 1 (Distro Advisories, 0.98 confidence), Tier 2 (Changelog Mentions, 0.80), Tier 3 (Patch Headers + HunkSig, 0.85-0.90), Tier 4 (Binary Fingerprints, 0.55-0.85). BackportProofService orchestrates queries across all tiers and combines evidence into cryptographic ProofBlobs.
## Implementation Details
- **BackportProofGenerator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.cs` -- orchestrator for multi-tier detection with partials:
- `.Tier1` -- Distro advisory matching (0.98 confidence)
- `.Tier2` -- Advisory-level evidence (0.90-0.95)
- `.Tier3` -- Changelog/patch header matching (0.80-0.85)
- `.Tier3Signature` -- HunkSig binary signature matching
- `.Tier4` -- Binary fingerprint comparison (0.55-0.85)
- `.Confidence` -- confidence scoring with multi-source bonus
- `.CombineEvidence` -- evidence aggregation across tiers
- `.Status` -- detection status tracking
- `.VulnerableUnknown` -- unknown vulnerability handling
- **Evidence Summary**: `Generators/EvidenceSummary.cs` -- aggregated evidence from all tiers.
- **Proof Blob**: `Models/ProofBlob.cs` -- cryptographic proof container with SHA-256 hash.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BackportProofGeneratorTests.cs`
## E2E Test Plan
- [ ] Run Tier 1 detection with a known distro advisory match and verify 0.98 confidence
- [ ] Run Tier 2 detection with changelog evidence and verify 0.80 confidence
- [ ] Run Tier 3 detection with patch header matching and verify 0.85-0.90 confidence
- [ ] Run Tier 3 Signature detection with HunkSig binary comparison and verify confidence range
- [ ] Run Tier 4 detection with binary fingerprint comparison and verify 0.55-0.85 confidence
- [ ] Run all four tiers and verify `CombineEvidence` produces an aggregated result with multi-source bonus
- [ ] Verify the combined evidence is wrapped in a cryptographic `ProofBlob` with valid SHA-256 hash
- [ ] Test with a package having no backport evidence across all tiers and verify appropriate `VulnerableUnknown` handling
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |