stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
docs/features/checked/attestor/vex-attestation-predicate-pipeline.md Normal file
View File

@@ -0,0 +1,44 @@
# VEX Attestation Predicate Pipeline
## Module
Attestor
## Status
VERIFIED
## Description
Complete VEX attestation pipeline from predicate creation through proof integration to verdict statements.
## Implementation Details
- **VEX Attestation Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexAttestationPredicate.cs` -- predicate model for VEX attestations containing per-component/CVE verdicts with proof references.
- **VEX Predicate**: `Predicates/VexPredicate.cs` -- base VEX predicate with status, justification, and impact statement.
- **VEX Verdict Summary**: `Predicates/VexVerdictSummary.cs` -- summary of VEX verdicts per subject.
- **VEX Status Counts**: `Predicates/VexStatusCounts.cs` -- aggregate counts by VEX status (affected, not_affected, fixed, under_investigation).
- **VEX Document Reference**: `Predicates/VexDocumentReference.cs` -- reference linking to the source VEX document.
- **VEX Proof Integrator**: `Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) -- embeds cryptographic proof references (proof_ref, proof_method, proof_confidence) into VEX predicates.
- **VEX Verdict Proof Payload**: `Generators/VexVerdictProofPayload.cs` -- payload binding VEX verdicts to proof chain evidence.
- **VEX Verdict Statement**: `Statements/VexVerdictStatement.cs` -- in-toto statement wrapping the VEX verdict as an attestation.
- **VEX Verdict ID**: `Identifiers/VexVerdictId.cs` -- content-addressed identifier for VEX verdicts.
- **Statement Builder**: `Builders/StatementBuilder.cs` (with `.Extended`) -- builds in-toto statements for VEX predicates.
- **Predicate Schema Validator**: `Json/PredicateSchemaValidator.cs` (with `.Validators`) -- validates VEX predicates against JSON schemas.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/`
## E2E Test Plan
- [ ] Create a `VexAttestationPredicate` with 3 CVE verdicts (affected, not_affected, fixed) and verify each status is correctly set
- [ ] Integrate proof references via `VexProofIntegrator` and verify each verdict contains proof_ref, proof_method, and proof_confidence fields
- [ ] Build a `VexVerdictStatement` via `StatementBuilder` and verify it is a valid in-toto statement with the correct predicate type URI
- [ ] Validate the VEX predicate against `PredicateSchemaValidator` and verify it passes schema validation
- [ ] Generate a `VexVerdictId` from the verdict content and verify it is deterministic (same content produces same ID)
- [ ] Create a VEX attestation with status counts and verify `VexStatusCounts` matches: 1 affected, 1 not_affected, 1 fixed
- [ ] Create a malformed VEX predicate (missing required justification for not_affected) and verify schema validation fails
- [ ] Build a VEX verdict proof payload and verify it contains the VEX document reference linking to the source VEX document
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |