stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
docs/features/checked/scanner/suppression-witness-proof-model.md Normal file
View File

@@ -0,0 +1,44 @@
# Suppression Witness Proof Model (DSSE-Signable Not-Affected Evidence)
## Module
Scanner
## Status
VERIFIED
## Description
A DSSE-signable proof model documenting why a vulnerability is NOT exploitable (unreachable code, linker GC, feature flag off, patched symbol, gate blocked, etc.). Complements PathWitness which documents why code IS reachable. Includes 10 suppression types and content-addressed witness IDs.
## Implementation Details
- **Suppression Witness Model**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitness.cs` - `SuppressionWitness` model with 10 suppression types (unreachable code, linker GC, feature flag off, patched symbol, gate blocked, etc.) and content-addressed witness IDs
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitnessSchema.cs` - JSON schema definition for suppression witness validation
- **Builder**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitnessBuilder.cs` - `SuppressionWitnessBuilder` constructing suppression witnesses with evidence chains and suppression type classification
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ISuppressionWitnessBuilder.cs` - Interface for suppression witness construction
- **DSSE Signing**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionDsseSigner.cs` - `SuppressionDsseSigner` signing suppression witnesses using DSSE envelopes
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ISuppressionDsseSigner.cs` - Interface for suppression DSSE signing
- **Content-Addressed IDs**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ClaimIdGenerator.cs` - `ClaimIdGenerator` generating deterministic, content-addressed witness IDs
- **DI Registration**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitnessServiceCollectionExtensions.cs` - DI registration for suppression witness services
## E2E Test Plan
- [ ] Create a suppression witness for an unreachable code path and verify the witness includes the suppression type "UnreachableCode" with evidence
- [ ] Create a suppression witness for linker GC (dead code elimination) and verify it documents the eliminated symbols
- [ ] Sign a suppression witness with DSSE and verify the envelope validates against the suppression witness schema
- [ ] Verify content-addressed witness IDs are deterministic (same evidence produces identical IDs)
- [ ] Verify suppression witnesses complement PathWitnesses by providing the inverse proof (not-affected vs. affected)
- [ ] Verify all 10 suppression types can be constructed and signed correctly
---
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |