stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
docs/features/checked/attestor/vex-override-predicate-system.md Normal file
View File

@@ -0,0 +1,39 @@
# VEX Override Predicate System (Signed Justifications with Proofs)
## Module
Attestor
## Status
VERIFIED
## Description
Full VEX override predicate system with builder, parser, serialization, validation, decision models, evidence references, and tool info. Supports "not_affected" claims with structured proof bundles and signed justifications.
## Implementation Details
- **VEX Override Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicate.cs` -- data model for VEX override predicates containing decision, justification, evidence, and tool metadata.
- **VEX Override Decision**: `VexOverride/VexOverrideDecision.cs` -- decision model with status (not_affected, affected, fixed), justification text, approver identity, and decision timestamp.
- **VEX Override Predicate Builder**: `VexOverride/VexOverridePredicateBuilder.cs` (with `.Build`, `.Serialize`, `.WithMethods`) -- fluent builder: `.WithStatus()`, `.WithJustification()`, `.WithEvidence()`, `.WithToolInfo()`. `.Build` finalizes the predicate, `.Serialize` produces canonical JSON.
- **VEX Override Predicate Parser**: `VexOverride/VexOverridePredicateParser.cs` (with `.DecisionValidation`, `.ExtractMetadata`, `.FieldValidation`, `.Helpers`, `.ParsePredicate`, `.Validation`) -- comprehensive parser with multi-layer validation: `.ParsePredicate` extracts the predicate, `.DecisionValidation` validates decision semantics, `.FieldValidation` validates required fields, `.ExtractMetadata` extracts metadata.
- **Evidence Reference**: `VexOverride/EvidenceReference.cs` -- reference to supporting evidence (type, URI, digest, description).
- **Tool Info**: `VexOverride/ToolInfo.cs` -- information about the tool/human that authored the override (name, version, vendor).
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/VexOverride/`
## E2E Test Plan
- [ ] Build a VEX override via `VexOverridePredicateBuilder.WithStatus("not_affected").WithJustification("Vulnerable function not in call path").WithEvidence(ref).Build()` and verify the predicate is complete
- [ ] Serialize the predicate via `.Serialize` and verify canonical JSON output
- [ ] Parse the serialized JSON via `VexOverridePredicateParser.ParsePredicate` and verify round-trip fidelity for all fields
- [ ] Validate decision semantics: create a not_affected override without justification and verify `.DecisionValidation` rejects it
- [ ] Validate field completeness: create a predicate missing the tool info and verify `.FieldValidation` reports the missing field
- [ ] Create an override with 3 evidence references (scan report, backport proof, manual review) and verify all are serialized/parsed
- [ ] Build an override with status="fixed" and verify no justification is required (fixed status does not require justification)
- [ ] Parse a malformed VEX override (invalid JSON) and verify the parser returns structured errors via `.Validation`
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |