stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Add integration tests for Proof Chain and Reachability workflows

Browse Source 
- Implement ProofChainTestFixture for PostgreSQL-backed integration tests.
- Create StellaOps.Integration.ProofChain project with necessary dependencies.
- Add ReachabilityIntegrationTests to validate call graph extraction and reachability analysis.
- Introduce ReachabilityTestFixture for managing corpus and fixture paths.
- Establish StellaOps.Integration.Reachability project with required references.
- Develop UnknownsWorkflowTests to cover the unknowns lifecycle: detection, ranking, escalation, and resolution.
- Create StellaOps.Integration.Unknowns project with dependencies for unknowns workflow.
This commit is contained in:
StellaOps Bot
2025-12-20 22:19:26 +02:00
parent 3c6e14fca5
commit efe9bd8cfe
86 changed files with 9616 additions and 323 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/09_API_CLI_REFERENCE.md
View File

@@ -900,6 +900,13 @@ Both commands honour CLI observability hooks: Spectre tables for human output, `
| `stellaops-cli graph verify` | Verify graph DSSE signature and Rekor entry | `--graph <path>` (required)<br>`--dsse <path>`<br>`--rekor-log` | Recomputes BLAKE3 hash, validates DSSE envelope, checks Rekor inclusion proof |
| `stellaops-cli proof verify` | Verify an artifact's proof chain | `<artifact>` (required)<br>`--sbom <file>`<br>`--vex <file>`<br>`--anchor <uuid>`<br>`--offline`<br>`--output text\|json`<br>`-v/-vv` | Validates proof spine, Merkle inclusion, VEX statements, and Rekor entries. Returns exit code 0 (pass), 1 (policy violation), or 2 (system error). Designed for CI/CD integration. |
| `stellaops-cli proof spine` | Display proof spine for an artifact | `<artifact>` (required)<br>`--format table\|json`<br>`--show-merkle` | Shows assembled proof spine with evidence statements, VEX verdicts, and Merkle tree structure. |
| `stellaops-cli score replay` | Replay a score computation for a scan | `--scan <id>` (required)<br>`--output text\|json`<br>`-v` | Calls `/api/v1/scanner/scans/{id}/score/replay` to replay score computation. Returns proof bundle with root hash and verification status. *(Sprint 3500.0004.0001)* |
| `stellaops-cli score bundle` | Export score proof bundle | `--scan <id>` (required)<br>`--output <dir>` | Exports score proof bundle including attestation, evidence, and root hash for offline verification. *(Sprint 3500.0004.0001)* |
| `stellaops-cli score verify` | Verify score proof chain | `--scan <id>` (required)<br>`--offline` | Validates the score computation proof chain, verifying Merkle proofs and attestation signatures. *(Sprint 3500.0004.0001)* |
| `stellaops-cli unknowns list` | List unknowns by band | `--band HOT\|WARM\|COLD`<br>`--limit <n>` (default 50)<br>`--output table\|json`<br>`-v` | Lists unknowns from the registry filtered by confidence band. Shows CVE, package, band, age. Calls `/api/v1/policy/unknowns`. *(Sprint 3500.0004.0001)* |
| `stellaops-cli unknowns escalate` | Escalate an unknown for review | `--id <unknown-id>` (required)<br>`--reason <text>`<br>`--output text\|json` | Escalates an unknown entry for manual triage. Returns escalation receipt with tracking ID. *(Sprint 3500.0004.0001)* |
| `stellaops-cli unknowns resolve` | Resolve an unknown | `--id <unknown-id>` (required)<br>`--resolution <outcome>`<br>`--reason <text>` | Resolves an escalated unknown with specified outcome (accepted, rejected, deferred). *(Sprint 3500.0004.0001)* |
| `stellaops-cli scan graph` | Extract call graph from source | `--lang dotnet\|java\|node\|python\|go\|rust\|ruby\|php` (required)<br>`--target <path>` (required)<br>`--output <file>`<br>`--upload` | Runs language-specific call graph extractor locally. Deterministic output (stable ordering). Use `--upload` to submit to backend. *(Sprint 3500.0004.0001)* |
| `stellaops-cli replay verify` | Verify replay manifest determinism | `--manifest <path>` (required)<br>`--sealed`<br>`--verbose` | Recomputes all artifact hashes and compares against manifest; exit 0 on match |
| `stellaops-cli runtime policy test` | Ask Scanner.WebService for runtime verdicts (Webhook parity) | `--image/-i <digest>` (repeatable, comma/space lists supported)<br>`--file/-f <path>`<br>`--namespace/--ns <name>`<br>`--label/-l key=value` (repeatable)<br>`--json` | Posts to `POST /api/v1/scanner/policy/runtime`, deduplicates image digests, and prints TTL/policy revision plus per-image columns for signed state, SBOM referrers, quieted-by metadata, confidence, Rekor attestation (uuid + verified flag), and recently observed build IDs (shortened for readability). Accepts newline/whitespace-delimited stdin when piped; `--json` emits the raw response without additional logging. |
@@ -1201,7 +1208,8 @@ These stay in *Feature Matrix → To Do* until design is frozen.
## 9 Changelog (truncated)
* **20250714** added *delta SBOM*, policy import/export, CLI `--sbom-type`.
* **2025-12-20** Sprint 3500.0004.0001: Added `score replay|bundle|verify`, `unknowns list|escalate|resolve`, `scan graph` commands; extended offline bundle format with reachability/corpus directories.
* **20250714** added *delta SBOM*, policy import/export, CLI `--sbom-type`.
* **20250712** initial public reference.
---