stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
docs/features/checked/attestor/minimal-reachability-subgraph-attestation.md Normal file
View File

@@ -0,0 +1,42 @@
# Minimal Reachability Subgraph Attestation
## Module
Attestor
## Status
VERIFIED
## Description
Stores minimal call/data/control edge subgraphs connecting entrypoints to vulnerable sinks as attested evidence.
## Implementation Details
- **Reachability Subgraph Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/ReachabilitySubgraphPredicate.cs` -- predicate containing the minimal subgraph (nodes and edges) connecting entrypoints to vulnerable sinks.
- **Reachability Subgraph Statement**: `Statements/ReachabilitySubgraphStatement.cs` -- in-toto statement wrapping the subgraph predicate for DSSE signing.
- **Witness Path Nodes**: `Statements/WitnessPathNode.cs` -- individual node in the subgraph (function name, file, line, module).
- **Witness Call Path Nodes**: `Statements/WitnessCallPathNode.cs` -- call-graph node with caller/callee relationship.
- **Witness Gate Info**: `Statements/WitnessGateInfo.cs` -- gate (security check, validation) along the path.
- **Witness Evidence Metadata**: `Statements/WitnessEvidenceMetadata.cs` -- metadata about the analysis that produced the subgraph.
- **Proof Graph Subgraph**: `Graph/ProofGraphSubgraph.cs` -- generic subgraph extraction from the proof graph (used to extract minimal subgraphs).
- **Proof Graph Path**: `Graph/ProofGraphPath.cs` -- traversal path through the graph.
- **Reachability Witness Payload**: `Statements/ReachabilityWitnessPayload.cs` (with `.Path`) -- payload with the full witness including call path.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- signs subgraph attestations into DSSE envelopes.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ReachabilitySubgraphTests.cs`
## E2E Test Plan
- [ ] Create a `ReachabilitySubgraphPredicate` with a minimal subgraph (entrypoint -> intermediate -> vulnerable sink) and verify all nodes and edges are present
- [ ] Build a `ReachabilitySubgraphStatement` and sign it via `ProofChainSigner`; verify the DSSE envelope is valid
- [ ] Create a subgraph with a `WitnessGateInfo` (e.g., input validation) along the path and verify the gate is captured
- [ ] Verify `WitnessEvidenceMetadata` captures the analysis tool, language, and confidence for the subgraph
- [ ] Extract a minimal subgraph from a larger `InMemoryProofGraphService` graph using `ProofGraphSubgraph` and verify it contains only the relevant path
- [ ] Create a subgraph with multiple paths to the same sink and verify all paths are captured
- [ ] Verify the subgraph predicate content-addressed ID is deterministic: same subgraph produces the same ID
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |