stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
docs/features/checked/attestor/vex-delta-evidence-and-tracking.md Normal file
View File

@@ -0,0 +1,43 @@
# VEX Delta Evidence and Tracking (Claim Transitions)
## Module
Attestor
## Status
VERIFIED
## Description
VEX delta predicates capturing per-CVE claim transitions (affected/not_affected/fixed) with merge traces and reason codes. Tracks changes in VEX statements between scans.
## Implementation Details
- **VEX Delta Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexDeltaPredicate.cs` -- top-level predicate for VEX delta attestations.
- **VEX Delta Change**: `Predicates/VexDeltaChange.cs` -- individual per-CVE claim transition (e.g., affected -> not_affected) with reason code.
- **VEX Delta Statement**: `Predicates/VexDeltaStatement.cs` -- statement describing the claim transition details.
- **VEX Delta Summary**: `Predicates/VexDeltaSummary.cs` -- aggregate summary of VEX delta changes (added, removed, status_changed counts).
- **VEX Merge Trace**: `Predicates/VexMergeTrace.cs` -- trace of how VEX sources were merged, explaining conflict resolution and priority ordering.
- **VEX Document Reference**: `Predicates/VexDocumentReference.cs` -- reference to the VEX document that was the source of the change.
- **VEX Status Counts**: `Predicates/VexStatusCounts.cs` -- before and after status counts for delta comparison.
- **Change Trace Attestation Service**: `ChangeTrace/ChangeTraceAttestationService.cs` (with `.Helpers`, `.Mapping`) -- generates change trace attestations including VEX delta entries.
- **Change Trace Delta Entry**: `Predicates/ChangeTraceDeltaEntry.cs` -- entry in the broader change trace capturing a VEX delta event.
- **Change Trace Predicate Summary**: `Predicates/ChangeTracePredicateSummary.cs` -- summary of all change trace predicates including VEX deltas.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/`
## E2E Test Plan
- [ ] Create a `VexDeltaPredicate` tracking a CVE transition from affected to not_affected with justification code; verify the change is captured
- [ ] Create a delta with multiple transitions (3 CVEs changing status) and verify `VexDeltaSummary` reports correct counts
- [ ] Verify merge trace: create a delta resulting from merging two VEX sources and verify `VexMergeTrace` explains which source took priority
- [ ] Track a fixed -> affected regression and verify `VexDeltaChange` captures the regression with reason code
- [ ] Generate a change trace attestation via `ChangeTraceAttestationService` with VEX deltas and verify the attestation includes delta entries
- [ ] Verify `VexStatusCounts` before and after: verify counts shift correctly when statuses change
- [ ] Create a delta where a VEX document is removed entirely and verify all its claims appear as removed in the delta
- [ ] Verify `VexDeltaStatement` details include the source VEX document reference via `VexDocumentReference`
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |