save checkpoint
This commit is contained in:
master
@@ -0,0 +1,37 @@
|
||||
# Automatic code_not_reachable VEX Justification Generation
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Automatically generates VEX `code_not_reachable` justifications when reachability slice verdict is "unreachable", including slice digest as evidence reference and supporting OpenVEX, CSAF, and CycloneDX formats. Auto-generated justifications require human approval by default.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/Justification/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/Reachability/`
|
||||
- **Key Classes**:
|
||||
- `VexNotReachableJustification` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/VexNotReachableJustification.cs`) - generates `code_not_reachable` justifications from reachability data
|
||||
- `ReachabilityJustificationGenerator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Justification/ReachabilityJustificationGenerator.cs`) - generates justifications from reachability slice verdicts
|
||||
- `VexDowngradeGenerator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/VexDowngradeGenerator.cs`) - generates VEX downgrade statements when code is unreachable
|
||||
- `AutoVexDowngradeService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/AutoVexDowngradeService.cs`) - service orchestrating auto-VEX downgrade workflow
|
||||
- `ReachabilityLatticeUpdater` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/ReachabilityLatticeUpdater.cs`) - updates lattice state with reachability evidence
|
||||
- `TimeBoxedConfidence` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/TimeBoxedConfidence.cs`) - time-bounded confidence for auto-generated justifications
|
||||
- `SliceVerdictConsumer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Reachability/SliceVerdictConsumer.cs`) - consumes reachability slice verdicts
|
||||
- **Interfaces**: `ISliceVerdictConsumer`
|
||||
- **Source**: SPRINT_3830_0001_0001_vex_integration_policy_binding.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Trigger a reachability slice verdict of "unreachable" and verify `VexNotReachableJustification` generates a `code_not_reachable` justification
|
||||
- [ ] Verify the generated justification includes the slice digest as evidence reference
|
||||
- [ ] Verify `AutoVexDowngradeService` marks auto-generated justifications as requiring human approval by default
|
||||
- [ ] Verify `TimeBoxedConfidence` applies time-bounded confidence decay to auto-generated justifications
|
||||
- [ ] Verify generated justifications are compatible with OpenVEX, CSAF, and CycloneDX export formats
|
||||
- [ ] Verify `ReachabilityLatticeUpdater` updates the lattice state when reachability evidence changes
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/automatic-code-not-reachable-vex-justification-generation/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,36 @@
|
||||
# Excititor VEX escalation service
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Excititor module with auto-VEX justification, calibration comparison engine, CycloneDX export, and export engine with test coverage.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/`, `src/Excititor/__Libraries/StellaOps.Excititor.Export/`
|
||||
- **Key Classes**:
|
||||
- `AutoVexDowngradeService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/AutoVexDowngradeService.cs`) - orchestrates auto-VEX downgrade and escalation
|
||||
- `CalibrationComparisonEngine` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Calibration/CalibrationComparisonEngine.cs`) - compares calibration results for post-mortem analysis
|
||||
- `DriftGateIntegration` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/DriftGateIntegration.cs`) - integrates drift detection with VEX escalation
|
||||
- `ExportEngine` (`src/Excititor/__Libraries/StellaOps.Excititor.Export/ExportEngine.cs`) - multi-format VEX export engine (OpenVEX, CycloneDX, CSAF)
|
||||
- `VexConsensusResolver` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusResolver.cs`) - resolves consensus across multiple VEX sources
|
||||
- `VexConsensusRefreshService` (`src/Excititor/StellaOps.Excititor.Worker/Scheduling/VexConsensusRefreshService.cs`) - scheduled refresh of VEX consensus
|
||||
- **Interfaces**: `IVexConsensusPolicy`, `IVexExportStore`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Trigger a VEX escalation when conflicting claims are detected and verify `AutoVexDowngradeService` produces the correct escalated status
|
||||
- [ ] Verify `CalibrationComparisonEngine` compares pre/post calibration snapshots and reports differences
|
||||
- [ ] Verify `DriftGateIntegration` escalates VEX status when drift is detected in container images
|
||||
- [ ] Export VEX data via `ExportEngine` in CycloneDX format and verify schema compliance
|
||||
- [ ] Verify `VexConsensusResolver` resolves multi-source conflicts deterministically
|
||||
- [ ] Verify `VexConsensusRefreshService` periodically refreshes consensus and detects status changes
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/excititor-vex-escalation-service/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,34 @@
|
||||
# Excititor VEX Evidence Chunk Service
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Chunked evidence service for VEX data that splits large evidence payloads into manageable chunks for API transport and storage.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/StellaOps.Excititor.WebService/Services/`, `src/Excititor/StellaOps.Excititor.WebService/Endpoints/`
|
||||
- **Key Classes**:
|
||||
- `VexEvidenceChunkService` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexEvidenceChunkService.cs`) - splits large VEX evidence payloads into chunks for transport
|
||||
- `EvidenceEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/EvidenceEndpoints.cs`) - REST endpoints for evidence chunk operations
|
||||
- `VexEvidenceChunkContracts` (`src/Excititor/StellaOps.Excititor.WebService/Contracts/VexEvidenceChunkContracts.cs`) - API contracts for evidence chunks
|
||||
- `VexEvidenceContracts` (`src/Excititor/StellaOps.Excititor.WebService/Contracts/VexEvidenceContracts.cs`) - API contracts for evidence data
|
||||
- **Interfaces**: None (uses concrete service)
|
||||
- **Source**: Sprints 0119 (batch_14/file_19.md)
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Submit a large VEX evidence payload and verify `VexEvidenceChunkService` splits it into chunks within size limits
|
||||
- [ ] Retrieve chunked evidence via `EvidenceEndpoints` and verify all chunks can be reassembled into the original payload
|
||||
- [ ] Verify chunk ordering is preserved and each chunk includes a sequence number
|
||||
- [ ] Verify `VexEvidenceChunkContracts` response includes chunk count and total size metadata
|
||||
- [ ] Verify chunked transport handles partial failures gracefully (retry individual chunks)
|
||||
- [ ] Verify large evidence payloads (>10MB) are chunked without memory issues
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/excititor-vex-evidence-chunk-service/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,36 @@
|
||||
# Excititor VEX Justification Normalization API
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Normalized VEX justification projections served at a REST endpoint, enabling consumers to retrieve standardized VEX observation data for vulnerability/product combinations.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/StellaOps.Excititor.WebService/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/`
|
||||
- **Key Classes**:
|
||||
- `VexObservationProjectionService` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexObservationProjectionService.cs`) - projects normalized VEX observations for API consumption
|
||||
- `ObservationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/ObservationEndpoints.cs`) - REST endpoints for VEX observation queries
|
||||
- `VexObservationContracts` (`src/Excititor/StellaOps.Excititor.WebService/Contracts/VexObservationContracts.cs`) - API contracts for observation responses
|
||||
- `VexObservationQueryService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexObservationQueryService.cs`) - queries VEX observations by vulnerability/product
|
||||
- `VexObservation` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexObservation.cs`) - normalized VEX observation model
|
||||
- `VexNormalizationTelemetryRecorder` (`src/Excititor/StellaOps.Excititor.WebService/Telemetry/VexNormalizationTelemetryRecorder.cs`) - telemetry for normalization operations
|
||||
- **Interfaces**: `IVexObservationQueryService`, `IVexObservationLookup`
|
||||
- **Source**: batch_54/file_12.md (Sprint 110 update)
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Query normalized VEX observations via `ObservationEndpoints` for a specific CVE and verify standardized response format
|
||||
- [ ] Verify `VexObservationProjectionService` normalizes observations from multiple VEX formats into a unified projection
|
||||
- [ ] Verify `VexObservationQueryService` supports filtering by vulnerability ID, product, and status
|
||||
- [ ] Verify `VexObservationContracts` response includes justification text, status, and evidence references
|
||||
- [ ] Verify `VexNormalizationTelemetryRecorder` captures telemetry for normalization operations
|
||||
- [ ] Verify the API returns consistent results regardless of the original VEX format (OpenVEX, CSAF, CycloneDX)
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/excititor-vex-justification-normalization-api/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,40 @@
|
||||
# Excititor VEX Observation and Linkset Stores
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
PostgreSQL append-only stores for VEX observations and linksets with list endpoints, projection services, and conflict annotation support.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/`, `src/Excititor/StellaOps.Excititor.WebService/Endpoints/`
|
||||
- **Key Classes**:
|
||||
- `VexLinksetExtractionService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexLinksetExtractionService.cs`) - extracts linksets from VEX documents
|
||||
- `AppendOnlyLinksetExtractionService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/AppendOnlyLinksetExtractionService.cs`) - append-only linkset extraction
|
||||
- `VexLinksetDisagreementService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexLinksetDisagreementService.cs`) - detects and annotates linkset conflicts
|
||||
- `VexLinkset` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexLinkset.cs`) - linkset model connecting VEX observations
|
||||
- `VexObservation` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexObservation.cs`) - observation model
|
||||
- `VexObservationQueryService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexObservationQueryService.cs`) - queries observations
|
||||
- `LinksetEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/LinksetEndpoints.cs`) - REST endpoints for linkset queries
|
||||
- `ObservationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/ObservationEndpoints.cs`) - REST endpoints for observation queries
|
||||
- `VexLinksetListContracts` (`src/Excititor/StellaOps.Excititor.WebService/Contracts/VexLinksetListContracts.cs`) - API contracts for linkset list
|
||||
- `VexObservationListContracts` (`src/Excititor/StellaOps.Excititor.WebService/Contracts/VexObservationListContracts.cs`) - API contracts for observation list
|
||||
- **Interfaces**: `IVexObservationStore`, `IVexLinksetStore`, `IAppendOnlyLinksetStore`, `IVexLinksetEventPublisher`, `IVexTimelineEventEmitter`, `IVexTimelineEventStore`
|
||||
- **Source**: Sprints 0119 I-III (batch_14/file_19-21.md)
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Store a VEX observation and verify append-only semantics (no update/delete)
|
||||
- [ ] Extract linksets via `VexLinksetExtractionService` and verify they connect related observations
|
||||
- [ ] Verify `VexLinksetDisagreementService` detects conflicting observations and annotates the linkset
|
||||
- [ ] Query observations via `ObservationEndpoints` and verify pagination and filtering
|
||||
- [ ] Query linksets via `LinksetEndpoints` and verify they include all related observations
|
||||
- [ ] Verify timeline events are emitted when observations and linksets are created
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/excititor-vex-observation-and-linkset-stores/run-001/tier2-integration-check.json`
|
||||
36
docs/features/checked/excititor/openvex-format-support.md
Normal file
36
docs/features/checked/excititor/openvex-format-support.md
Normal file
@@ -0,0 +1,36 @@
|
||||
# OpenVEX Format Support
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
OpenVEX format supported with golden corpus test fixtures for all VEX statuses (affected, not_affected, fixed, under_investigation) and OpenVEX export snapshot tests in the Excititor module.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/`, `src/Excititor/__Libraries/StellaOps.Excititor.Export/`
|
||||
- **Key Classes**:
|
||||
- `ExportEngine` (`src/Excititor/__Libraries/StellaOps.Excititor.Export/ExportEngine.cs`) - exports VEX data in OpenVEX format
|
||||
- `VexCanonicalJsonSerializer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexCanonicalJsonSerializer.cs`) - canonical JSON serialization for OpenVEX
|
||||
- `VexClaim` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexClaim.cs`) - internal VEX claim model normalized from OpenVEX
|
||||
- `VexConsensus` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensus.cs`) - consensus model supporting OpenVEX statuses
|
||||
- `VexIngestOrchestrator` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexIngestOrchestrator.cs`) - orchestrates OpenVEX document ingestion
|
||||
- `IngestEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/IngestEndpoints.cs`) - REST endpoints for VEX ingestion
|
||||
- **Interfaces**: `IVexExportStore`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Ingest an OpenVEX document via `IngestEndpoints` and verify all statements are normalized into `VexClaim` models
|
||||
- [ ] Verify all OpenVEX statuses are supported: affected, not_affected, fixed, under_investigation
|
||||
- [ ] Export VEX data in OpenVEX format via `ExportEngine` and verify JSON schema compliance
|
||||
- [ ] Verify `VexCanonicalJsonSerializer` produces deterministic OpenVEX output
|
||||
- [ ] Verify round-trip: ingest an OpenVEX document and export it back to OpenVEX with equivalent content
|
||||
- [ ] Verify OpenVEX golden corpus test fixtures validate all status combinations
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/openvex-format-support/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,43 @@
|
||||
# Trust Vector Calibration System
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Full trust calibration system including: DefaultTrustVectors (per-source baseline trust), SourceClassificationService, CalibrationManifest (versioned calibration snapshots), CalibrationComparisonEngine (post-mortem comparison), TrustVectorCalibrator with learning rate, and TrustCalibrationService. Distinct from "VEX Source Trust Scoring" which is about individual scoring; this is the calibration/tuning infrastructure.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/Calibration/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/`
|
||||
- **Key Classes**:
|
||||
- `TrustCalibrationService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Calibration/TrustCalibrationService.cs`) - orchestrates trust vector calibration
|
||||
- `TrustVectorCalibrator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Calibration/TrustVectorCalibrator.cs`) - calibrates trust vectors with configurable learning rate
|
||||
- `CalibrationComparisonEngine` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Calibration/CalibrationComparisonEngine.cs`) - post-mortem comparison of calibration snapshots
|
||||
- `CalibrationManifest` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Calibration/CalibrationManifest.cs`) - versioned calibration snapshot model
|
||||
- `DefaultTrustVectors` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/DefaultTrustVectors.cs`) - per-source baseline trust values
|
||||
- `SourceClassificationService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/SourceClassificationService.cs`) - classifies VEX sources for trust assignment
|
||||
- `TrustVector` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/TrustVector.cs`) - trust vector model with multi-dimensional scores
|
||||
- `TrustWeights` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/TrustWeights.cs`) - configurable trust weights
|
||||
- `FreshnessCalculator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/FreshnessCalculator.cs`) - calculates freshness component of trust vector
|
||||
- `ProvenanceScorer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/ProvenanceScorer.cs`) - scores provenance for trust calculation
|
||||
- `CoverageScorer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/CoverageScorer.cs`) - scores coverage for trust calculation
|
||||
- `ReplayabilityScorer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/ReplayabilityScorer.cs`) - scores replayability for trust calculation
|
||||
- **Interfaces**: None (uses concrete calibration pipeline)
|
||||
- **Source**: SPRINT_7100_0002_0002_source_defaults_calibration.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Run `TrustCalibrationService` and verify it calibrates trust vectors based on historical VEX accuracy
|
||||
- [ ] Verify `TrustVectorCalibrator` adjusts trust scores with configurable learning rate (slow convergence)
|
||||
- [ ] Verify `CalibrationManifest` creates versioned snapshots of calibration state
|
||||
- [ ] Verify `CalibrationComparisonEngine` compares two manifests and reports trust score drift
|
||||
- [ ] Verify `DefaultTrustVectors` provides correct baseline values for vendor, distro, and internal sources
|
||||
- [ ] Verify `SourceClassificationService` classifies new VEX sources into correct categories
|
||||
- [ ] Verify individual scorers (Freshness, Provenance, Coverage, Replayability) contribute weighted scores to the trust vector
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/trust-vector-calibration-system/run-001/tier2-integration-check.json`
|
||||
36
docs/features/checked/excititor/vex-annotation-and-export.md
Normal file
36
docs/features/checked/excititor/vex-annotation-and-export.md
Normal file
@@ -0,0 +1,36 @@
|
||||
# VEX annotation and export (OpenVEX + CycloneDX VEX formats)
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
OpenVEX, CycloneDX, and CSAF VEX normalizers plus consensus export service implement multi-format VEX annotation and export.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Export/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/`
|
||||
- **Key Classes**:
|
||||
- `ExportEngine` (`src/Excititor/__Libraries/StellaOps.Excititor.Export/ExportEngine.cs`) - multi-format VEX export engine
|
||||
- `VexExportManifest` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexExportManifest.cs`) - manifest tracking exported VEX data
|
||||
- `FileSystemArtifactStore` (`src/Excititor/__Libraries/StellaOps.Excititor.Export/FileSystemArtifactStore.cs`) - file-based storage for exported artifacts
|
||||
- `VexConsensus` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensus.cs`) - consensus model for export
|
||||
- `VexCanonicalJsonSerializer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexCanonicalJsonSerializer.cs`) - canonical JSON for deterministic export
|
||||
- `VexConsensusResolver` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusResolver.cs`) - resolves consensus before export
|
||||
- **Interfaces**: `IVexArtifactStore`, `IVexExportStore`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Export VEX data in OpenVEX format via `ExportEngine` and verify schema compliance
|
||||
- [ ] Export VEX data in CycloneDX format and verify CycloneDX VEX schema compliance
|
||||
- [ ] Export VEX data in CSAF format and verify CSAF schema compliance
|
||||
- [ ] Verify `VexExportManifest` tracks all exported artifacts with content hashes
|
||||
- [ ] Verify `VexCanonicalJsonSerializer` produces deterministic output across repeated exports
|
||||
- [ ] Verify `FileSystemArtifactStore` persists exported artifacts to the configured directory
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-annotation-and-export/run-001/tier2-integration-check.json`
|
||||
39
docs/features/checked/excititor/vex-claim-normalization.md
Normal file
39
docs/features/checked/excititor/vex-claim-normalization.md
Normal file
@@ -0,0 +1,39 @@
|
||||
# VEX Claim Normalization (Multi-Format Ingestion)
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Normalization of VEX claims from OpenVEX, CycloneDX VEX, and CSAF formats into canonical internal representation with vendor-specific connectors (Ubuntu, Red Hat, Oracle, Microsoft, Cisco).
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/`, `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.*/`
|
||||
- **Key Classes**:
|
||||
- `VexClaim` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexClaim.cs`) - canonical VEX claim model
|
||||
- `VexAdvisoryKeyCanonicalizer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Canonicalization/VexAdvisoryKeyCanonicalizer.cs`) - canonicalizes advisory keys across formats
|
||||
- `VexProductKeyCanonicalizer` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Canonicalization/VexProductKeyCanonicalizer.cs`) - canonicalizes product keys across formats
|
||||
- `UbuntuCsafConnector` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/UbuntuCsafConnector.cs`) - Ubuntu CSAF ingestion
|
||||
- `RedHatCsafConnector` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/RedHatCsafConnector.cs`) - Red Hat CSAF ingestion
|
||||
- `OracleCsafConnector` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/OracleCsafConnector.cs`) - Oracle CSAF ingestion
|
||||
- `MsrcCsafConnector` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/MsrcCsafConnector.cs`) - Microsoft MSRC CSAF ingestion
|
||||
- `CiscoCsafConnector` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/CiscoCsafConnector.cs`) - Cisco CSAF ingestion
|
||||
- `VexIngestOrchestrator` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexIngestOrchestrator.cs`) - orchestrates multi-format ingestion
|
||||
- **Interfaces**: `VexConnectorBase` (abstract base)
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Ingest a CSAF advisory from each vendor connector (Ubuntu, Red Hat, Oracle, Microsoft, Cisco) and verify normalization into `VexClaim`
|
||||
- [ ] Verify `VexAdvisoryKeyCanonicalizer` produces identical keys for the same advisory across different formats
|
||||
- [ ] Verify `VexProductKeyCanonicalizer` produces identical product keys for the same product across formats
|
||||
- [ ] Ingest the same vulnerability from multiple formats (OpenVEX, CSAF, CycloneDX) and verify they normalize to equivalent claims
|
||||
- [ ] Verify `VexIngestOrchestrator` routes documents to the correct normalizer based on format detection
|
||||
- [ ] Verify normalization handles vendor-specific fields (Red Hat errata, Microsoft KB articles, Cisco bug IDs)
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-claim-normalization/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,38 @@
|
||||
# VEX Claims Resolution Engine (Multi-Source Merge)
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Multi-source VEX claim resolution with policy-controlled merge semantics resolving conflicts between vendor, distro, internal, and scanner claims into a deterministic resolved status.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/`
|
||||
- **Key Classes**:
|
||||
- `VexConsensusResolver` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusResolver.cs`) - resolves multi-source VEX claims into consensus
|
||||
- `BaselineVexConsensusPolicy` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/BaselineVexConsensusPolicy.cs`) - baseline policy for consensus resolution
|
||||
- `VexConsensusPolicyOptions` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusPolicyOptions.cs`) - configurable policy options for merge semantics
|
||||
- `VexConsensus` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensus.cs`) - resolved consensus model
|
||||
- `VexConsensusHold` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusHold.cs`) - holds on consensus when manual review is needed
|
||||
- `ClaimScoreMerger` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/ClaimScoreMerger.cs`) - merges claim scores from multiple sources
|
||||
- `PolicyLatticeAdapter` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/PolicyLatticeAdapter.cs`) - adapts policy lattice rules for VEX merge
|
||||
- `TrustWeightRegistry` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/TrustWeightRegistry.cs`) - registry of trust weights per source
|
||||
- **Interfaces**: `IVexConsensusPolicy`, `IVexLatticeProvider`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Submit conflicting VEX claims (vendor says "fixed", distro says "affected") and verify `VexConsensusResolver` resolves deterministically based on policy
|
||||
- [ ] Verify `BaselineVexConsensusPolicy` applies default merge rules when no custom policy is configured
|
||||
- [ ] Verify `ClaimScoreMerger` weights claims by trust level when merging scores
|
||||
- [ ] Verify `VexConsensusHold` is triggered when claims conflict and manual review is required by policy
|
||||
- [ ] Verify `TrustWeightRegistry` applies different weights to vendor, distro, internal, and scanner sources
|
||||
- [ ] Verify resolution is deterministic: same inputs always produce the same consensus output
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-claims-resolution-engine/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,38 @@
|
||||
# VEX Cryptographic Verification
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Cryptographic signature verification of VEX documents at ingestion time with crypto profile selection and issuer validation.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/`, `src/Excititor/StellaOps.Excititor.Worker/Signature/`
|
||||
- **Key Classes**:
|
||||
- `ProductionVexSignatureVerifier` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/ProductionVexSignatureVerifier.cs`) - production signature verifier for VEX documents
|
||||
- `CryptoProfileSelector` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/CryptoProfileSelector.cs`) - selects crypto profile (FIPS, eIDAS, GOST, SM) based on issuer
|
||||
- `VerificationCacheService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VerificationCacheService.cs`) - caches verification results for performance
|
||||
- `VexSignatureVerifierOptions` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexSignatureVerifierOptions.cs`) - configurable verification options
|
||||
- `VexVerificationModels` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexVerificationModels.cs`) - verification result models
|
||||
- `VexVerificationMetrics` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexVerificationMetrics.cs`) - metrics for verification operations
|
||||
- `WorkerSignatureVerifier` (`src/Excititor/StellaOps.Excititor.Worker/Signature/WorkerSignatureVerifier.cs`) - worker-side signature verification
|
||||
- `VerifyingVexRawDocumentSink` (`src/Excititor/StellaOps.Excititor.Worker/Signature/VerifyingVexRawDocumentSink.cs`) - sink that verifies signatures before persisting
|
||||
- **Interfaces**: `IVexSignatureVerifierV2`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Ingest a cryptographically signed VEX document and verify `ProductionVexSignatureVerifier` validates the signature
|
||||
- [ ] Verify `CryptoProfileSelector` selects the correct crypto profile based on the issuer's regional requirements
|
||||
- [ ] Verify `VerificationCacheService` caches verification results and returns cached results for repeated checks
|
||||
- [ ] Ingest a VEX document with an invalid signature and verify rejection with a clear error
|
||||
- [ ] Verify `VerifyingVexRawDocumentSink` rejects unsigned documents when signature verification is required
|
||||
- [ ] Verify `VexVerificationMetrics` records verification success/failure counts and latency
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-cryptographic-verification/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,46 @@
|
||||
# VEX Delta Persistence Table
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Persistent tracking of VEX status transitions between artifact versions with rationale and replay hashes. Schema designed but not implemented.
|
||||
|
||||
## Why Marked as Dropped (Correction)
|
||||
**FINDING: VEX delta persistence IS implemented across multiple modules.** The following exist:
|
||||
- `src/Excititor/__Libraries/StellaOps.Excititor.Persistence/Postgres/Repositories/PostgresVexDeltaRepository.cs` -- PostgreSQL VEX delta repository
|
||||
- `src/VexLens/StellaOps.VexLens/Services/VexDeltaComputeService.cs` -- VEX delta computation
|
||||
- `src/VexLens/StellaOps.VexLens/Mapping/VexDeltaMapper.cs` -- VEX delta data mapping
|
||||
- `src/VexLens/StellaOps.VexLens/Storage/InMemoryConsensusProjectionStore.cs` -- in-memory projection store
|
||||
- `src/VexLens/StellaOps.VexLens.Persistence/Repositories/ConsensusProjectionRepository.cs` -- persistent consensus projections
|
||||
- `src/VexLens/StellaOps.VexLens.Persistence/Postgres/VexLensDataSource.cs` -- PostgreSQL data source
|
||||
- `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/VexDeltaRepository.cs` -- SBOM lineage VEX delta tracking
|
||||
- `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Persistence/Migrations/00001_InitialSchema.sql` -- migration with VEX delta tables
|
||||
- Attestor proof chain predicates: `VexDeltaPredicate.cs`, `VexDeltaSummary.cs`, `VexDeltaChange.cs`, `VexDeltaStatement.cs`
|
||||
|
||||
## Implementation Details
|
||||
- Excititor persistence: `src/Excititor/__Libraries/StellaOps.Excititor.Persistence/Postgres/Repositories/PostgresVexDeltaRepository.cs`
|
||||
- VexLens computation: `src/VexLens/StellaOps.VexLens/Services/VexDeltaComputeService.cs`
|
||||
- VexLens mapping: `src/VexLens/StellaOps.VexLens/Mapping/VexDeltaMapper.cs`
|
||||
- SbomService lineage: `src/SbomService/__Libraries/StellaOps.SbomService.Lineage/Repositories/VexDeltaRepository.cs`
|
||||
- Attestor predicates: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexDelta*.cs`
|
||||
|
||||
## E2E Test Plan
|
||||
- Verify VEX delta computation tracks status transitions correctly
|
||||
- Test persistence and retrieval of VEX deltas
|
||||
- Validate consensus projection store maintains correct state
|
||||
- Test delta predicates are included in proof chain attestations
|
||||
|
||||
## Source
|
||||
- Feature matrix scan
|
||||
|
||||
## Notes
|
||||
- Module: Excititor
|
||||
- Modules referenced: `src/Excititor/`, `src/VexLens/`, `src/SbomService/`
|
||||
- **Status should be reclassified from NOT_FOUND to IMPLEMENTED**
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-delta-persistence-table/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,37 @@
|
||||
# VEX Handling with Formal Reasoning (Lattice-Based Merge)
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
VEX handling with a K4 trust lattice engine for deterministic merging of vendor/distro/internal VEX claims, claim score merging, conflict penalization, and disposition selection via policy-driven rules.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/`
|
||||
- **Key Classes**:
|
||||
- `ClaimScoreMerger` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/ClaimScoreMerger.cs`) - merges claim scores using lattice algebra with conflict penalization
|
||||
- `PolicyLatticeAdapter` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/PolicyLatticeAdapter.cs`) - adapts K4 policy lattice for VEX claim merge
|
||||
- `TrustWeightRegistry` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/TrustWeightRegistry.cs`) - registry of per-source trust weights
|
||||
- `ClaimScoreCalculator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/ClaimScoreCalculator.cs`) - calculates claim scores from trust vectors
|
||||
- `ClaimStrength` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/TrustVector/ClaimStrength.cs`) - claim strength model
|
||||
- `VexScoreEnvelope` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexScoreEnvelope.cs`) - envelope wrapping scored VEX claims
|
||||
- `VexConsensusResolver` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusResolver.cs`) - resolves consensus using lattice rules
|
||||
- **Interfaces**: `IVexLatticeProvider`, `IVexConsensusPolicy`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Submit multiple VEX claims for the same vulnerability and verify `ClaimScoreMerger` produces a deterministic merged score using lattice algebra
|
||||
- [ ] Verify conflict penalization: conflicting claims (affected vs not_affected) reduce the merged score
|
||||
- [ ] Verify `PolicyLatticeAdapter` applies K4 lattice rules for disposition selection (top > bottom in lattice ordering)
|
||||
- [ ] Verify `TrustWeightRegistry` applies different weights to vendor, distro, and internal sources
|
||||
- [ ] Verify `ClaimScoreCalculator` computes scores from multi-dimensional trust vectors
|
||||
- [ ] Verify the merged result is monotonic: adding more evidence can only increase confidence, not decrease it
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-handling-with-formal-reasoning/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,36 @@
|
||||
# VEX Issuer Identity Verification
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Cryptographic verification of VEX issuer identities with signature verification, issuer directory lookup, verification caching, and configurable verification options.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/`, `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/Trust/`
|
||||
- **Key Classes**:
|
||||
- `IssuerDirectoryClient` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/IssuerDirectoryClient.cs`) - looks up issuer public keys from the issuer directory
|
||||
- `ProductionVexSignatureVerifier` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/ProductionVexSignatureVerifier.cs`) - verifies VEX document signatures against issuer keys
|
||||
- `VerificationCacheService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VerificationCacheService.cs`) - caches issuer verification results
|
||||
- `VexSignatureVerifierOptions` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexSignatureVerifierOptions.cs`) - configurable verification options
|
||||
- `ConnectorSignerMetadata` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/Trust/ConnectorSignerMetadata.cs`) - signer metadata for connector-level trust
|
||||
- `ConnectorSignerMetadataEnricher` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/Trust/ConnectorSignerMetadataEnricher.cs`) - enriches connector metadata with signer info
|
||||
- **Interfaces**: `IVexSignatureVerifierV2`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify `IssuerDirectoryClient` looks up issuer public keys from the issuer directory service
|
||||
- [ ] Verify `ProductionVexSignatureVerifier` validates a VEX document signed by a known issuer
|
||||
- [ ] Verify rejection when a VEX document is signed by an unknown issuer not in the directory
|
||||
- [ ] Verify `VerificationCacheService` caches issuer lookup results and returns cached results on repeat queries
|
||||
- [ ] Verify `ConnectorSignerMetadataEnricher` enriches connector metadata with signer identity info
|
||||
- [ ] Verify `VexSignatureVerifierOptions` allows configuring verification strictness (strict, permissive, disabled)
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-issuer-identity-verification/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,38 @@
|
||||
# VEX normalization and multi-format ingestion (OpenVEX, CSAF)
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
VEX normalization, delta mapping, export compatibility testing, and auto-VEX justification across VexLens, VexHub, and Excititor modules.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/`, `src/Excititor/StellaOps.Excititor.WebService/`
|
||||
- **Key Classes**:
|
||||
- `VexIngestOrchestrator` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexIngestOrchestrator.cs`) - orchestrates multi-format VEX ingestion pipeline
|
||||
- `VexStatementBackfillService` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexStatementBackfillService.cs`) - backfills VEX statements for historical coverage
|
||||
- `VexRawDocumentMapper` (`src/Excititor/StellaOps.Excititor.WebService/Extensions/VexRawDocumentMapper.cs`) - maps raw VEX documents to internal models
|
||||
- `VexRawRequestMapper` (`src/Excititor/StellaOps.Excititor.WebService/Extensions/VexRawRequestMapper.cs`) - maps API requests to raw VEX documents
|
||||
- `VexHashingService` (`src/Excititor/StellaOps.Excititor.WebService/Services/VexHashingService.cs`) - content-addressed hashing for VEX documents
|
||||
- `VexDeltaModels` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexDeltaModels.cs`) - delta models for tracking VEX changes
|
||||
- `VexStatementChangeEvent` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Observations/VexStatementChangeEvent.cs`) - events for VEX statement changes
|
||||
- `IngestEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/IngestEndpoints.cs`) - REST endpoints for VEX ingestion
|
||||
- **Interfaces**: None (uses concrete pipeline)
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Ingest an OpenVEX document via `IngestEndpoints` and verify `VexIngestOrchestrator` normalizes it into internal models
|
||||
- [ ] Ingest a CSAF document and verify equivalent normalization results
|
||||
- [ ] Verify `VexHashingService` produces content-addressed hashes for deduplication
|
||||
- [ ] Verify `VexDeltaModels` track changes between ingestion runs (new, modified, removed statements)
|
||||
- [ ] Verify `VexStatementChangeEvent` is emitted for each statement change
|
||||
- [ ] Verify `VexStatementBackfillService` backfills missing VEX statements from historical data
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-normalization-and-multi-format-ingestion/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,41 @@
|
||||
# VEX Override Workflow with Attestation Linkage
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
VEX decision APIs extended with attestation references so overrides are DSSE-signed. Attestor integration mints envelopes for operator decisions with envelope digest and Rekor info persistence. Includes offline stub client.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Attestation/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/`
|
||||
- **Key Classes**:
|
||||
- `VexDsseBuilder` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Dsse/VexDsseBuilder.cs`) - builds DSSE envelopes for VEX override decisions
|
||||
- `VexAttestationClient` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/VexAttestationClient.cs`) - client for VEX attestation operations
|
||||
- `VexEvidenceAttestor` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Evidence/VexEvidenceAttestor.cs`) - attests VEX evidence with DSSE signatures
|
||||
- `VexAttestationVerifier` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Verification/VexAttestationVerifier.cs`) - verifies VEX attestation envelopes
|
||||
- `VexAttestationPredicate` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Models/VexAttestationPredicate.cs`) - predicate model for VEX attestations
|
||||
- `RekorHttpClient` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Transparency/RekorHttpClient.cs`) - Rekor transparency log client
|
||||
- `DsseEvidenceSignatureValidator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/DsseEvidenceSignatureValidator.cs`) - validates DSSE signatures on evidence
|
||||
- `VexEvidenceLinker` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/VexEvidenceLinker.cs`) - links VEX decisions to supporting evidence
|
||||
- `AttestationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/AttestationEndpoints.cs`) - REST endpoints for attestation operations
|
||||
- `RekorAttestationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/RekorAttestationEndpoints.cs`) - Rekor-specific attestation endpoints
|
||||
- **Interfaces**: `IVexSigner`, `ITransparencyLogClient`, `IVexAttestationVerifier`
|
||||
- **Source**: SPRINT_20260112_004_VULN_vex_override_workflow.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Create a VEX override and verify `VexDsseBuilder` mints a DSSE-signed envelope with the operator's decision
|
||||
- [ ] Verify `VexAttestationClient` persists the envelope digest and Rekor entry info
|
||||
- [ ] Verify `VexAttestationVerifier` validates the DSSE signature on a VEX override attestation
|
||||
- [ ] Verify `RekorHttpClient` submits the attestation to the Rekor transparency log and retrieves the entry
|
||||
- [ ] Verify `VexEvidenceLinker` links the override decision to supporting binary-diff or reachability evidence
|
||||
- [ ] Verify `DsseEvidenceSignatureValidator` rejects overrides with invalid DSSE signatures
|
||||
- [ ] Verify attestation endpoints return override history with DSSE envelope and Rekor receipt references
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-override-workflow-with-attestation-linkage/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,37 @@
|
||||
# VEX Policy-Controlled Trust and Evidence Requirements
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Policy-driven trust weights and evidence requirements for VEX claims, with guardrails ensuring safe statuses require evidence satisfaction.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/`, `src/Excititor/StellaOps.Excititor.WebService/`
|
||||
- **Key Classes**:
|
||||
- `BaselineVexConsensusPolicy` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/BaselineVexConsensusPolicy.cs`) - baseline policy with evidence requirements for safe statuses
|
||||
- `VexConsensusPolicyOptions` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusPolicyOptions.cs`) - configurable policy options for trust and evidence
|
||||
- `TrustWeightRegistry` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/TrustWeightRegistry.cs`) - per-source trust weight configuration
|
||||
- `PolicyLatticeAdapter` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/PolicyLatticeAdapter.cs`) - adapts policy engine rules for VEX trust evaluation
|
||||
- `VexEvidenceLinkOptions` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/VexEvidenceLinkOptions.cs`) - evidence linking requirements configuration
|
||||
- `PolicyEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/PolicyEndpoints.cs`) - REST endpoints for VEX policy queries
|
||||
- `PolicyContracts` (`src/Excititor/StellaOps.Excititor.WebService/Contracts/PolicyContracts.cs`) - API contracts for policy data
|
||||
- **Interfaces**: `IVexConsensusPolicy`, `IVexLatticeProvider`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Configure a policy requiring binary-diff evidence for `not_affected` status and verify claims without evidence are rejected
|
||||
- [ ] Verify `TrustWeightRegistry` applies configurable trust weights: increase vendor weight and verify vendor claims rank higher
|
||||
- [ ] Verify `BaselineVexConsensusPolicy` enforces minimum evidence requirements for safe statuses (not_affected, fixed)
|
||||
- [ ] Verify `PolicyLatticeAdapter` applies K4 lattice rules from the policy engine to VEX trust evaluation
|
||||
- [ ] Verify `VexEvidenceLinkOptions` requires specific evidence types (reachability, binary-diff) for specific statuses
|
||||
- [ ] Verify `PolicyEndpoints` returns the active VEX policy configuration
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-policy-controlled-trust-and-evidence-requirements/run-001/tier2-integration-check.json`
|
||||
@@ -0,0 +1,41 @@
|
||||
# VEX Source Registration and Verification Pipeline
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
VEX source onboarding pipeline with scheduled provider runners, orchestration, signature verification, and issuer directory integration for multi-vendor VEX ingestion.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/StellaOps.Excititor.Worker/`, `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/`
|
||||
- **Key Classes**:
|
||||
- `VexWorkerHostedService` (`src/Excititor/StellaOps.Excititor.Worker/Scheduling/VexWorkerHostedService.cs`) - background service scheduling provider runs
|
||||
- `DefaultVexProviderRunner` (`src/Excititor/StellaOps.Excititor.Worker/Scheduling/DefaultVexProviderRunner.cs`) - runs VEX provider connectors on schedule
|
||||
- `OrchestratorVexProviderRunner` (`src/Excititor/StellaOps.Excititor.Worker/Orchestration/OrchestratorVexProviderRunner.cs`) - orchestrator-managed provider runner
|
||||
- `VexWorkerOrchestratorClient` (`src/Excititor/StellaOps.Excititor.Worker/Orchestration/VexWorkerOrchestratorClient.cs`) - communicates with orchestrator for work assignment
|
||||
- `VexWorkerHeartbeatService` (`src/Excititor/StellaOps.Excititor.Worker/Orchestration/VexWorkerHeartbeatService.cs`) - sends heartbeats to orchestrator
|
||||
- `VexWorkerPluginCatalogLoader` (`src/Excititor/StellaOps.Excititor.Worker/Plugins/VexWorkerPluginCatalogLoader.cs`) - loads available VEX connector plugins
|
||||
- `VexConnectorBase` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/VexConnectorBase.cs`) - base class for VEX source connectors
|
||||
- `VexConnectorDescriptor` (`src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/VexConnectorDescriptor.cs`) - descriptor metadata for connectors
|
||||
- `WorkerSignatureVerifier` (`src/Excititor/StellaOps.Excititor.Worker/Signature/WorkerSignatureVerifier.cs`) - verifies signatures during ingestion
|
||||
- `VexWorkerSchedule` (`src/Excititor/StellaOps.Excititor.Worker/Scheduling/VexWorkerSchedule.cs`) - schedule configuration for provider runs
|
||||
- `MirrorRegistrationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/MirrorRegistrationEndpoints.cs`) - REST endpoints for mirror/source registration
|
||||
- **Interfaces**: `IVexProviderRunner`, `IVexConsensusRefreshScheduler`, `IVexWorkerOrchestratorClient`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Register a new VEX source via `MirrorRegistrationEndpoints` and verify it appears in the plugin catalog
|
||||
- [ ] Verify `VexWorkerHostedService` schedules provider runs based on `VexWorkerSchedule` configuration
|
||||
- [ ] Verify `DefaultVexProviderRunner` executes the connector and ingests VEX documents
|
||||
- [ ] Verify `WorkerSignatureVerifier` validates signatures on ingested documents during the pipeline
|
||||
- [ ] Verify `VexWorkerHeartbeatService` sends heartbeats to the orchestrator during long-running ingestion
|
||||
- [ ] Verify `VexWorkerPluginCatalogLoader` discovers and loads all available vendor connectors (Ubuntu, Red Hat, Oracle, Microsoft, Cisco, SUSE)
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-source-registration-and-verification-pipeline/run-001/tier2-integration-check.json`
|
||||
Reference in New Issue
Block a user