stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
docs/features/checked/scanner/vex-auto-generation-and-auto-downgrade.md Normal file
View File

@@ -0,0 +1,43 @@
# VEX Auto-Generation and Auto-Downgrade (SmartDiff Candidates, Runtime Evidence)
## Module
Scanner
## Status
VERIFIED
## Description
Emits VEX candidates (not_affected/under_investigation) from SmartDiff when vulnerable APIs absent in current version. Runtime results can support/contradict static analysis, enabling auto-downgrade of VEX posture based on runtime evidence.
## Implementation Details
- **VEX Candidate Emitter**:
- `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexCandidateEmitter.cs` - `VexCandidateEmitter` emitting VEX candidates (not_affected, under_investigation) when SmartDiff detects that vulnerable APIs are absent in the current version
- `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexCandidateModels.cs` - VEX candidate data models
- `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexEvidence.cs` - `VexEvidence` model linking SmartDiff evidence to VEX candidates
- **Persistence**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresVexCandidateStore.cs` - `PostgresVexCandidateStore` persisting VEX candidates for review and approval
- **Delta Signature VEX**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/DeltaSigVexEmitter.cs` - `DeltaSigVexEmitter` emitting VEX statements based on delta signature analysis
- **API**:
- `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SmartDiffEndpoints.cs` - SmartDiff endpoints including VEX candidate retrieval
- **Tests**:
- `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/VexCandidateEmitterTests.cs` - VEX candidate emission tests
## E2E Test Plan
- [ ] Trigger SmartDiff analysis where vulnerable APIs are absent in the current version and verify a "not_affected" VEX candidate is emitted
- [ ] Verify "under_investigation" VEX candidates are emitted when SmartDiff cannot conclusively determine API absence
- [ ] Verify runtime evidence contradicting a "not_affected" VEX candidate triggers auto-downgrade to "under_investigation"
- [ ] Verify VEX candidates are persisted in PostgreSQL for review and approval workflow
- [ ] Verify `DeltaSigVexEmitter` emits VEX statements based on delta signature comparison between versions
- [ ] Verify auto-generated VEX candidates include evidence links back to the SmartDiff analysis that produced them
---
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |