stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save progress

Browse Source
This commit is contained in:
StellaOps Bot
2026-01-02 15:52:31 +02:00
parent 2dec7e6a04
commit f46bde5575
174 changed files with 20793 additions and 8307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

316
docs/implplan/ROADMAP_20260102_advisory_gap_closure.md Normal file
View File

@@ -0,0 +1,316 @@
# Implementation Roadmap: Product Advisory Gap Closure
**Document ID:** ROADMAP_20260102_advisory_gap_closure
**Created:** 2026-01-02
**Status:** APPROVED FOR IMPLEMENTATION
## Executive Summary
Analysis of 7 unprocessed product advisories revealed significant gaps in three areas:
1. **Binary-Level Patch Verification** - Detecting backported fixes at the code level
2. **Supply Chain Provenance** - in-toto link generation for SLSA compliance
3. **VEX Verdict Explainability** - Full proof objects for audit trails
This roadmap consolidates these gaps into 4 implementation sprints spanning 9-14 weeks.
## Advisory Analysis Summary
### Advisories Reviewed
| Date | Advisory | Theme | Status |
|------|----------|-------|--------|
| 02-Dec-2025 | Designing offline DSSE + in-toto attestations | Provenance | Gap identified |
| 02-Dec-2025 | Handle RPM versions with EVR tuples | Version comparison | **FULLY IMPLEMENTED** |
| 02-Dec-2025 | Snapshot advisories for time-aware verdicts | Reproducibility | **FULLY IMPLEMENTED** |
| 30-Dec-2025 | Binary Diff Signatures for Patch Detection | Binary analysis | Gap identified |
| 30-Dec-2025 | Building a Golden Set for Patch Validation | Testing | Gap identified |
| 30-Dec-2025 | Designing a Deterministic VEX Resolver | VEX consensus | Partial gap |
| 30-Dec-2025 | Evidence-Gated AI Explanations | AI UX | **FULLY IMPLEMENTED** |
### Key Finding
**3 of 7 advisories are already fully implemented** (RPM EVR, Time-aware snapshots, Evidence-gated AI). The remaining gaps are addressable in 4 sprints.
## Implementation Roadmap
```
Week 1-2 Week 3-4 Week 5-6 Week 7-8 Week 9-10 Week 11-12 Week 13-14
│ │ │ │ │ │ │
▼──────────▼──────────▼──────────▼ │ │ │
╔═══════════════════════════════════════════╗ │ │
║ SPRINT 001: Binary Delta Signatures ║ │ │
║ • B2R2 disassembly integration ║ │ │
║ • Instruction normalization ║ │ │
║ • Delta signature generation ║ │ │
║ • CLI: stella deltasig ║ │ │
╚═══════════════════════════════════════════╝ │ │
│ │ │
▼─────────────────────▼ │
╔═════════════════════════════════╗
║ SPRINT 002: in-toto Links ║
║ • Link recorder service ║
║ • Layout verifier ║
║ • Scanner integration ║
╚═════════════════════════════════╝
│ │
▼───────────▼
╔═══════════════════════╗
║ SPRINT 003: VEX ║
║ Proof Objects ║
║ • Proof schema ║
║ • Propagation rules ║
║ • Condition eval ║
╚═══════════════════════╝
╔═══════════════════════╗
║ SPRINT 004: Polish ║
║ • CycloneDX 1.7 ║
║ • Shuffle tests ║
║ • Golden corpus ║
╚═══════════════════════╝
```
## Sprint Details
### Sprint 001: Binary Delta Signatures
| Attribute | Value |
|-----------|-------|
| **ID** | SPRINT_20260102_001_BE |
| **Duration** | 4-6 weeks |
| **Working Dir** | `src/BinaryIndex/` |
| **Key Deliverable** | `stella deltasig` CLI with B2R2-powered binary analysis |
**Why This Matters:**
- Competitors trust version strings; we provide **cryptographic proof** of fix presence
- Eliminates false positives from distro backports
- Major competitive differentiator
**Key Technical Decisions:**
- **Disassembler:** B2R2 (fully managed .NET, MIT license, multi-arch)
- **Storage:** PostgreSQL `binaryindex.delta_signature` table
- **Distribution:** Offline signature packs (ZIP) for air-gapped environments
**Success Criteria:**
- [ ] Extract normalized hashes from ELF binaries (x86-64, ARM64)
- [ ] Author signatures from vulnerable/patched binary pairs
- [ ] Match binaries against signature database
- [ ] Detect Heartbleed backport in RHEL 6 OpenSSL (golden test)
---
### Sprint 002: in-toto Link Generation
| Attribute | Value |
|-----------|-------|
| **ID** | SPRINT_20260102_002_BE |
| **Duration** | 2-3 weeks |
| **Working Dir** | `src/Attestor/` |
| **Key Deliverable** | `ILinkRecorder` service with Scanner integration |
**Why This Matters:**
- SLSA compliance requires provenance attestations
- Supply chain transparency for audit trails
- Foundation for layout-based policy enforcement
**Key Technical Decisions:**
- **Predicate Format:** in-toto Link v1 per spec
- **Envelope:** DSSE (existing infrastructure)
- **Verification:** Layout verification is optional (Phase 2)
**Success Criteria:**
- [ ] Record scan operations as in-toto links
- [ ] Sign links with existing DSSE infrastructure
- [ ] Verify link signatures offline
- [ ] Basic layout verification (single step)
---
### Sprint 003: VEX Proof Objects & Propagation
| Attribute | Value |
|-----------|-------|
| **ID** | SPRINT_20260102_003_BE |
| **Duration** | 2-3 weeks |
| **Working Dir** | `src/VexLens/`, `src/Policy/` |
| **Key Deliverable** | Full proof objects alongside VEX verdicts |
**Why This Matters:**
- Audit requirement: explain every verdict
- Reproducibility: same inputs → same outputs
- Trust: show your work
**Key Technical Decisions:**
- **Proof Schema:** `stellaops.vex-proof.v1` with digest
- **Propagation:** Configurable rules via policy
- **Conditions:** Platform, distro, features, build flags
**Success Criteria:**
- [ ] Every verdict includes proof object
- [ ] Proof contains all inputs, merge steps, graph paths
- [ ] Propagation rules documented and tested
- [ ] Condition evaluation handles Unknown explicitly
---
### Sprint 004: Polish & Testing
| Attribute | Value |
|-----------|-------|
| **ID** | SPRINT_20260102_004_BE |
| **Duration** | 1-2 weeks |
| **Working Dir** | Various |
| **Key Deliverable** | Complete test coverage, CycloneDX 1.7, golden corpus |
**Why This Matters:**
- Confidence in determinism claims
- Industry standard compliance (CycloneDX 1.7)
- Regression prevention
**Key Technical Decisions:**
- **Shuffle Tests:** 1000 random permutations for large sets
- **Golden Corpus:** Top 20 backport cases from advisory
- **CycloneDX:** Full analysis.state/justification mapping
**Success Criteria:**
- [ ] Shuffle determinism tests pass for all consensus modes
- [ ] 20 golden backport cases in corpus
- [ ] CycloneDX 1.7 analysis fields fully mapped
- [ ] End-to-end regression suite in CI
---
## Resource Allocation
### New Projects Created
| Project | Sprint | Purpose |
|---------|--------|---------|
| `StellaOps.BinaryIndex.Disassembly` | 001 | B2R2 wrapper |
| `StellaOps.BinaryIndex.Normalization` | 001 | Instruction normalization |
| `StellaOps.BinaryIndex.DeltaSig` | 001 | Signature generation |
| `StellaOps.BinaryIndex.DeltaSig.Persistence` | 001 | PostgreSQL storage |
| `StellaOps.BinaryIndex.Cli` | 001 | CLI commands |
| `StellaOps.Attestor.InToto` | 002 | in-toto primitives |
### Dependencies Added
| Package | Version | License | Sprint |
|---------|---------|---------|--------|
| B2R2.FrontEnd.API | 0.9.1+ | MIT | 001 |
### Database Migrations
| Schema | Table | Sprint |
|--------|-------|--------|
| `binaryindex` | `delta_signature` | 001 |
| `binaryindex` | `signature_pack` | 001 |
| `binaryindex` | `signature_pack_entry` | 001 |
---
## Risk Register
| ID | Risk | Probability | Impact | Mitigation |
|----|------|-------------|--------|------------|
| R-001 | B2R2 F# learning curve | Medium | Low | Thin C# wrapper, team training |
| R-002 | Compiler optimization variance | High | Medium | Rolling chunk hashes, multiple variants |
| R-003 | Golden corpus curation effort | Medium | Low | Start with 20, expand iteratively |
| R-004 | Proof object size bloat | Low | Medium | Optional compression, summary mode |
| R-005 | in-toto layout complexity | Medium | Low | Defer complex layouts to Phase 2 |
---
## Definition of Done
### Sprint 001 (Binary Delta Signatures)
- [ ] B2R2 integration tests pass
- [ ] Normalization property tests pass
- [ ] `stella deltasig extract` works on real ELF
- [ ] `stella deltasig match` detects Heartbleed backport
- [ ] Documentation in AGENTS.md
### Sprint 002 (in-toto Links)
- [ ] Link recorder unit tests pass
- [ ] Scanner emits links for scans
- [ ] Links are DSSE-signed
- [ ] Basic layout verification works
- [ ] Integration test with Rekor
### Sprint 003 (VEX Proofs)
- [ ] Proof objects emitted for all verdicts
- [ ] Proof digest computation is deterministic
- [ ] Propagation rules tested
- [ ] Condition evaluator handles all cases
- [ ] Shuffle determinism tests pass (preview)
### Sprint 004 (Polish)
- [ ] CycloneDX 1.7 tests pass
- [ ] All shuffle determinism tests pass
- [ ] 20 golden corpus cases loaded
- [ ] End-to-end regression in CI
- [ ] All documentation updated
---
## Approval
| Role | Name | Date | Signature |
|------|------|------|-----------|
| Product Manager | | | |
| Tech Lead | | | |
| Security Review | | | |
---
## Related Documents
- [SPRINT_20260102_001_BE_binary_delta_signatures.md](./SPRINT_20260102_001_BE_binary_delta_signatures.md)
- [SPRINT_20260102_002_BE_intoto_link_generation.md](./SPRINT_20260102_002_BE_intoto_link_generation.md)
- [SPRINT_20260102_003_BE_vex_proof_objects.md](./SPRINT_20260102_003_BE_vex_proof_objects.md)
- [SPRINT_20260102_004_BE_polish_and_testing.md](./SPRINT_20260102_004_BE_polish_and_testing.md)
## Appendix A: What Was Already Implemented
The following advisory items required **no new implementation**:
### RPM EVR Comparison (Advisory: Handle RPM versions with EVR tuples)
**Status:** Fully implemented in `StellaOps.VersionComparison`
- `RpmVersionComparer` with proper rpmvercmp semantics
- NEVRA parsing with 32 known architectures
- DPKG and APK comparers
- 43+ unit tests, property tests, golden file tests, integration tests
### Time-Aware Snapshots (Advisory: Snapshot advisories for time-aware verdicts)
**Status:** Fully implemented in `StellaOps.Replay.Core` and `StellaOps.Concelier`
- Atomic feed snapshots with composite digests
- Point-in-time replay via `AdvisoryEventLog.ReplayAsync(asOf)`
- RFC 8785 JCS canonicalization
- Air-gapped time anchors and staleness budgets
- REST API for snapshot management
### Evidence-Gated AI (Advisory: Evidence-Gated AI Explanations)
**Status:** Fully implemented in `StellaOps.Signals`, `StellaOps.Policy`, `StellaOps.AdvisoryAI`
- 6-dimensional evidence bucket scoring
- Confidence tiers (VeryHigh, High, Medium, Low, VeryLow)
- AI consent gating (`AiConsentGateComponent`)
- Citation verification (≥80% = EvidenceBacked)
- Fill-the-gaps UI components
- Environment-based thresholds
## Appendix B: Task Count Summary
| Sprint | Task Count | Complexity |
|--------|------------|------------|
| 001 - Binary Delta Signatures | 43 tasks | High |
| 002 - in-toto Links | 25 tasks | Medium |
| 003 - VEX Proofs | 30 tasks | Medium |
| 004 - Polish & Testing | 21 tasks | Low-Medium |
| **Total** | **119 tasks** | |

246
docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md
View File

@@ -46,10 +46,10 @@ Bulk task definitions (applies to every project row below):
| 24 | AUDIT-0008-A | DONE | Applied + tests | Guild | src/Tools/LanguageAnalyzerSmoke/LanguageAnalyzerSmoke.csproj - APPLY |
| 25 | AUDIT-0009-M | DONE | Report | Guild | src/Findings/StellaOps.Findings.Ledger/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - MAINT |
| 26 | AUDIT-0009-T | DONE | Report | Guild | src/Findings/StellaOps.Findings.Ledger/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - TEST |
| 27 | AUDIT-0009-A | TODO | Approval | Guild | src/Findings/StellaOps.Findings.Ledger/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - APPLY |
| 27 | AUDIT-0009-A | DONE | Approval | Guild | src/Findings/StellaOps.Findings.Ledger/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - APPLY |
| 28 | AUDIT-0010-M | DONE | Report | Guild | src/Findings/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - MAINT |
| 29 | AUDIT-0010-T | DONE | Report | Guild | src/Findings/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - TEST |
| 30 | AUDIT-0010-A | TODO | Approval | Guild | src/Findings/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - APPLY |
| 30 | AUDIT-0010-A | DONE | Approval | Guild | src/Findings/tools/LedgerReplayHarness/LedgerReplayHarness.csproj - APPLY |
| 31 | AUDIT-0011-M | DONE | Report | Guild | src/Tools/NotifySmokeCheck/NotifySmokeCheck.csproj - MAINT |
| 32 | AUDIT-0011-T | DONE | Report | Guild | src/Tools/NotifySmokeCheck/NotifySmokeCheck.csproj - TEST |
| 33 | AUDIT-0011-A | DONE | Applied + tests | Guild | src/Tools/NotifySmokeCheck/NotifySmokeCheck.csproj - APPLY |
@@ -97,22 +97,22 @@ Bulk task definitions (applies to every project row below):
| 75 | AUDIT-0025-A | DONE | Waived (test project) | Guild | src/AirGap/__Tests/StellaOps.AirGap.Controller.Tests/StellaOps.AirGap.Controller.Tests.csproj - APPLY |
| 76 | AUDIT-0026-M | DONE | Report | Guild | src/AirGap/StellaOps.AirGap.Importer/StellaOps.AirGap.Importer.csproj - MAINT |
| 77 | AUDIT-0026-T | DONE | Report | Guild | src/AirGap/StellaOps.AirGap.Importer/StellaOps.AirGap.Importer.csproj - TEST |
| 78 | AUDIT-0026-A | TODO | Approval | Guild | src/AirGap/StellaOps.AirGap.Importer/StellaOps.AirGap.Importer.csproj - APPLY |
| 78 | AUDIT-0026-A | DOING | Approval | Guild | src/AirGap/StellaOps.AirGap.Importer/StellaOps.AirGap.Importer.csproj - APPLY |
| 79 | AUDIT-0027-M | DONE | Report | Guild | src/AirGap/__Tests/StellaOps.AirGap.Importer.Tests/StellaOps.AirGap.Importer.Tests.csproj - MAINT |
| 80 | AUDIT-0027-T | DONE | Report | Guild | src/AirGap/__Tests/StellaOps.AirGap.Importer.Tests/StellaOps.AirGap.Importer.Tests.csproj - TEST |
| 81 | AUDIT-0027-A | DONE | Waived (test project) | Guild | src/AirGap/__Tests/StellaOps.AirGap.Importer.Tests/StellaOps.AirGap.Importer.Tests.csproj - APPLY |
| 82 | AUDIT-0028-M | DONE | Report | Guild | src/AirGap/__Libraries/StellaOps.AirGap.Persistence/StellaOps.AirGap.Persistence.csproj - MAINT |
| 83 | AUDIT-0028-T | DONE | Report | Guild | src/AirGap/__Libraries/StellaOps.AirGap.Persistence/StellaOps.AirGap.Persistence.csproj - TEST |
| 84 | AUDIT-0028-A | TODO | Approval | Guild | src/AirGap/__Libraries/StellaOps.AirGap.Persistence/StellaOps.AirGap.Persistence.csproj - APPLY |
| 84 | AUDIT-0028-A | DONE | Applied schema + determinism fixes | Guild | src/AirGap/__Libraries/StellaOps.AirGap.Persistence/StellaOps.AirGap.Persistence.csproj - APPLY |
| 85 | AUDIT-0029-M | DONE | Report | Guild | src/AirGap/__Tests/StellaOps.AirGap.Persistence.Tests/StellaOps.AirGap.Persistence.Tests.csproj - MAINT |
| 86 | AUDIT-0029-T | DONE | Report | Guild | src/AirGap/__Tests/StellaOps.AirGap.Persistence.Tests/StellaOps.AirGap.Persistence.Tests.csproj - TEST |
| 87 | AUDIT-0029-A | DONE | Waived (test project) | Guild | src/AirGap/__Tests/StellaOps.AirGap.Persistence.Tests/StellaOps.AirGap.Persistence.Tests.csproj - APPLY |
| 88 | AUDIT-0030-M | DONE | Report | Guild | src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.csproj - MAINT |
| 89 | AUDIT-0030-T | DONE | Report | Guild | src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.csproj - TEST |
| 90 | AUDIT-0030-A | TODO | Approval | Guild | src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.csproj - APPLY |
| 90 | AUDIT-0030-A | DONE | Applied reloadable policy + allowlist de-dup + client factory overload | Guild | src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.csproj - APPLY |
| 91 | AUDIT-0031-M | DONE | Report | Guild | src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Analyzers/StellaOps.AirGap.Policy.Analyzers.csproj - MAINT |
| 92 | AUDIT-0031-T | DONE | Report | Guild | src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Analyzers/StellaOps.AirGap.Policy.Analyzers.csproj - TEST |
| 93 | AUDIT-0031-A | TODO | Approval | Guild | src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Analyzers/StellaOps.AirGap.Policy.Analyzers.csproj - APPLY |
| 93 | AUDIT-0031-A | DONE | Applied analyzer symbol match + code-fix handler preservation | Guild | src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Analyzers/StellaOps.AirGap.Policy.Analyzers.csproj - APPLY |
| 94 | AUDIT-0032-M | DONE | Report | Guild | src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Analyzers.Tests/StellaOps.AirGap.Policy.Analyzers.Tests.csproj - MAINT |
| 95 | AUDIT-0032-T | DONE | Report | Guild | src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Analyzers.Tests/StellaOps.AirGap.Policy.Analyzers.Tests.csproj - TEST |
| 96 | AUDIT-0032-A | DONE | Waived (test project) | Guild | src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Analyzers.Tests/StellaOps.AirGap.Policy.Analyzers.Tests.csproj - APPLY |
@@ -121,22 +121,22 @@ Bulk task definitions (applies to every project row below):
| 99 | AUDIT-0033-A | DONE | Waived (test project) | Guild | src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Tests/StellaOps.AirGap.Policy.Tests.csproj - APPLY |
| 100 | AUDIT-0034-M | DONE | Report | Guild | src/AirGap/StellaOps.AirGap.Time/StellaOps.AirGap.Time.csproj - MAINT |
| 101 | AUDIT-0034-T | DONE | Report | Guild | src/AirGap/StellaOps.AirGap.Time/StellaOps.AirGap.Time.csproj - TEST |
| 102 | AUDIT-0034-A | TODO | Approval | Guild | src/AirGap/StellaOps.AirGap.Time/StellaOps.AirGap.Time.csproj - APPLY |
| 102 | AUDIT-0034-A | DONE | Applied time-provider wiring, options reload, and trust-root/roughtime hardening | Guild | src/AirGap/StellaOps.AirGap.Time/StellaOps.AirGap.Time.csproj - APPLY |
| 103 | AUDIT-0035-M | DONE | Report | Guild | src/AirGap/__Tests/StellaOps.AirGap.Time.Tests/StellaOps.AirGap.Time.Tests.csproj - MAINT |
| 104 | AUDIT-0035-T | DONE | Report | Guild | src/AirGap/__Tests/StellaOps.AirGap.Time.Tests/StellaOps.AirGap.Time.Tests.csproj - TEST |
| 105 | AUDIT-0035-A | DONE | Waived (test project) | Guild | src/AirGap/__Tests/StellaOps.AirGap.Time.Tests/StellaOps.AirGap.Time.Tests.csproj - APPLY |
| 106 | AUDIT-0036-M | DONE | Report | Guild | src/Aoc/__Libraries/StellaOps.Aoc/StellaOps.Aoc.csproj - MAINT |
| 107 | AUDIT-0036-T | DONE | Report | Guild | src/Aoc/__Libraries/StellaOps.Aoc/StellaOps.Aoc.csproj - TEST |
| 108 | AUDIT-0036-A | TODO | Approval | Guild | src/Aoc/__Libraries/StellaOps.Aoc/StellaOps.Aoc.csproj - APPLY |
| 108 | AUDIT-0036-A | DONE | Applied error-code fixes and guard validation hardening | Guild | src/Aoc/__Libraries/StellaOps.Aoc/StellaOps.Aoc.csproj - APPLY |
| 109 | AUDIT-0037-M | DONE | Report | Guild | src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/StellaOps.Aoc.Analyzers.csproj - MAINT |
| 110 | AUDIT-0037-T | DONE | Report | Guild | src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/StellaOps.Aoc.Analyzers.csproj - TEST |
| 111 | AUDIT-0037-A | TODO | Approval | Guild | src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/StellaOps.Aoc.Analyzers.csproj - APPLY |
| 111 | AUDIT-0037-A | DONE | Applied ingestion markers, guard-scope, and DB detection fixes | Guild | src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/StellaOps.Aoc.Analyzers.csproj - APPLY |
| 112 | AUDIT-0038-M | DONE | Report | Guild | src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj - MAINT |
| 113 | AUDIT-0038-T | DONE | Report | Guild | src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj - TEST |
| 114 | AUDIT-0038-A | DONE | Waived (test project) | Guild | src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj - APPLY |
| 115 | AUDIT-0039-M | DONE | Report | Guild | src/Aoc/__Libraries/StellaOps.Aoc.AspNetCore/StellaOps.Aoc.AspNetCore.csproj - MAINT |
| 116 | AUDIT-0039-T | DONE | Report | Guild | src/Aoc/__Libraries/StellaOps.Aoc.AspNetCore/StellaOps.Aoc.AspNetCore.csproj - TEST |
| 117 | AUDIT-0039-A | TODO | Approval | Guild | src/Aoc/__Libraries/StellaOps.Aoc.AspNetCore/StellaOps.Aoc.AspNetCore.csproj - APPLY |
| 117 | AUDIT-0039-A | DONE | Applied guard filter hardening and tests | Guild | src/Aoc/__Libraries/StellaOps.Aoc.AspNetCore/StellaOps.Aoc.AspNetCore.csproj - APPLY |
| 118 | AUDIT-0040-M | DONE | Report | Guild | src/Aoc/__Tests/StellaOps.Aoc.AspNetCore.Tests/StellaOps.Aoc.AspNetCore.Tests.csproj - MAINT |
| 119 | AUDIT-0040-T | DONE | Report | Guild | src/Aoc/__Tests/StellaOps.Aoc.AspNetCore.Tests/StellaOps.Aoc.AspNetCore.Tests.csproj - TEST |
| 120 | AUDIT-0040-A | DONE | Waived (test project) | Guild | src/Aoc/__Tests/StellaOps.Aoc.AspNetCore.Tests/StellaOps.Aoc.AspNetCore.Tests.csproj - APPLY |
@@ -148,13 +148,13 @@ Bulk task definitions (applies to every project row below):
| 126 | AUDIT-0042-A | DONE | Waived (test project) | Guild | src/__Tests/architecture/StellaOps.Architecture.Tests/StellaOps.Architecture.Tests.csproj - APPLY |
| 127 | AUDIT-0043-M | DONE | Report | Guild | src/Attestor/StellaOps.Attestation/StellaOps.Attestation.csproj - MAINT |
| 128 | AUDIT-0043-T | DONE | Report | Guild | src/Attestor/StellaOps.Attestation/StellaOps.Attestation.csproj - TEST |
| 129 | AUDIT-0043-A | TODO | Approval | Guild | src/Attestor/StellaOps.Attestation/StellaOps.Attestation.csproj - APPLY |
| 129 | AUDIT-0043-A | DONE | Applied DSSE PAE alignment + base64 validation | Guild | src/Attestor/StellaOps.Attestation/StellaOps.Attestation.csproj - APPLY |
| 130 | AUDIT-0044-M | DONE | Report | Guild | src/Attestor/StellaOps.Attestation.Tests/StellaOps.Attestation.Tests.csproj - MAINT |
| 131 | AUDIT-0044-T | DONE | Report | Guild | src/Attestor/StellaOps.Attestation.Tests/StellaOps.Attestation.Tests.csproj - TEST |
| 132 | AUDIT-0044-A | DONE | Waived (test project) | Guild | src/Attestor/StellaOps.Attestation.Tests/StellaOps.Attestation.Tests.csproj - APPLY |
| 133 | AUDIT-0045-M | DONE | Report | Guild | src/Attestor/__Libraries/StellaOps.Attestor.Bundle/StellaOps.Attestor.Bundle.csproj - MAINT |
| 134 | AUDIT-0045-T | DONE | Report | Guild | src/Attestor/__Libraries/StellaOps.Attestor.Bundle/StellaOps.Attestor.Bundle.csproj - TEST |
| 135 | AUDIT-0045-A | TODO | Approval | Guild | src/Attestor/__Libraries/StellaOps.Attestor.Bundle/StellaOps.Attestor.Bundle.csproj - APPLY |
| 135 | AUDIT-0045-A | DONE | - | Guild | src/Attestor/__Libraries/StellaOps.Attestor.Bundle/StellaOps.Attestor.Bundle.csproj - APPLY |
| 136 | AUDIT-0046-M | DONE | Report | Guild | src/Attestor/__Tests/StellaOps.Attestor.Bundle.Tests/StellaOps.Attestor.Bundle.Tests.csproj - MAINT |
| 137 | AUDIT-0046-T | DONE | Report | Guild | src/Attestor/__Tests/StellaOps.Attestor.Bundle.Tests/StellaOps.Attestor.Bundle.Tests.csproj - TEST |
| 138 | AUDIT-0046-A | DONE | Waived (test project) | Guild | src/Attestor/__Tests/StellaOps.Attestor.Bundle.Tests/StellaOps.Attestor.Bundle.Tests.csproj - APPLY |
@@ -878,113 +878,113 @@ Bulk task definitions (applies to every project row below):
| 856 | AUDIT-0286-M | DONE | Report | Guild | src/__Libraries/__Tests/StellaOps.Evidence.Tests/StellaOps.Evidence.Tests.csproj - MAINT |
| 857 | AUDIT-0286-T | DONE | Report | Guild | src/__Libraries/__Tests/StellaOps.Evidence.Tests/StellaOps.Evidence.Tests.csproj - TEST |
| 858 | AUDIT-0286-A | TODO | Approval | Guild | src/__Libraries/__Tests/StellaOps.Evidence.Tests/StellaOps.Evidence.Tests.csproj - APPLY |
| 859 | AUDIT-0287-M | TODO | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.csproj - MAINT |
| 860 | AUDIT-0287-T | TODO | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.csproj - TEST |
| 859 | AUDIT-0287-M | DONE | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.csproj - MAINT |
| 860 | AUDIT-0287-T | DONE | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.csproj - TEST |
| 861 | AUDIT-0287-A | TODO | Approval | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.csproj - APPLY |
| 862 | AUDIT-0288-M | TODO | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/StellaOps.EvidenceLocker.Core.csproj - MAINT |
| 863 | AUDIT-0288-T | TODO | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/StellaOps.EvidenceLocker.Core.csproj - TEST |
| 862 | AUDIT-0288-M | DONE | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/StellaOps.EvidenceLocker.Core.csproj - MAINT |
| 863 | AUDIT-0288-T | DONE | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/StellaOps.EvidenceLocker.Core.csproj - TEST |
| 864 | AUDIT-0288-A | TODO | Approval | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/StellaOps.EvidenceLocker.Core.csproj - APPLY |
| 865 | AUDIT-0289-M | TODO | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/StellaOps.EvidenceLocker.Infrastructure.csproj - MAINT |
| 866 | AUDIT-0289-T | TODO | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/StellaOps.EvidenceLocker.Infrastructure.csproj - TEST |
| 865 | AUDIT-0289-M | DONE | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/StellaOps.EvidenceLocker.Infrastructure.csproj - MAINT |
| 866 | AUDIT-0289-T | DONE | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/StellaOps.EvidenceLocker.Infrastructure.csproj - TEST |
| 867 | AUDIT-0289-A | TODO | Approval | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/StellaOps.EvidenceLocker.Infrastructure.csproj - APPLY |
| 868 | AUDIT-0290-M | TODO | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj - MAINT |
| 869 | AUDIT-0290-T | TODO | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj - TEST |
| 868 | AUDIT-0290-M | DONE | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj - MAINT |
| 869 | AUDIT-0290-T | DONE | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj - TEST |
| 870 | AUDIT-0290-A | DONE | Waived (test project) | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj - APPLY |
| 871 | AUDIT-0291-M | TODO | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.csproj - MAINT |
| 872 | AUDIT-0291-T | TODO | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.csproj - TEST |
| 871 | AUDIT-0291-M | DONE | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.csproj - MAINT |
| 872 | AUDIT-0291-T | DONE | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.csproj - TEST |
| 873 | AUDIT-0291-A | TODO | Approval | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.csproj - APPLY |
| 874 | AUDIT-0292-M | TODO | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/StellaOps.EvidenceLocker.Worker.csproj - MAINT |
| 875 | AUDIT-0292-T | TODO | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/StellaOps.EvidenceLocker.Worker.csproj - TEST |
| 874 | AUDIT-0292-M | DONE | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/StellaOps.EvidenceLocker.Worker.csproj - MAINT |
| 875 | AUDIT-0292-T | DONE | Report | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/StellaOps.EvidenceLocker.Worker.csproj - TEST |
| 876 | AUDIT-0292-A | TODO | Approval | Guild | src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/StellaOps.EvidenceLocker.Worker.csproj - APPLY |
| 877 | AUDIT-0293-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.ArtifactStores.S3/StellaOps.Excititor.ArtifactStores.S3.csproj - MAINT |
| 878 | AUDIT-0293-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.ArtifactStores.S3/StellaOps.Excititor.ArtifactStores.S3.csproj - TEST |
| 877 | AUDIT-0293-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.ArtifactStores.S3/StellaOps.Excititor.ArtifactStores.S3.csproj - MAINT |
| 878 | AUDIT-0293-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.ArtifactStores.S3/StellaOps.Excititor.ArtifactStores.S3.csproj - TEST |
| 879 | AUDIT-0293-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.ArtifactStores.S3/StellaOps.Excititor.ArtifactStores.S3.csproj - APPLY |
| 880 | AUDIT-0294-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.ArtifactStores.S3.Tests/StellaOps.Excititor.ArtifactStores.S3.Tests.csproj - MAINT |
| 881 | AUDIT-0294-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.ArtifactStores.S3.Tests/StellaOps.Excititor.ArtifactStores.S3.Tests.csproj - TEST |
| 880 | AUDIT-0294-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.ArtifactStores.S3.Tests/StellaOps.Excititor.ArtifactStores.S3.Tests.csproj - MAINT |
| 881 | AUDIT-0294-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.ArtifactStores.S3.Tests/StellaOps.Excititor.ArtifactStores.S3.Tests.csproj - TEST |
| 882 | AUDIT-0294-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.ArtifactStores.S3.Tests/StellaOps.Excititor.ArtifactStores.S3.Tests.csproj - APPLY |
| 883 | AUDIT-0295-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Attestation/StellaOps.Excititor.Attestation.csproj - MAINT |
| 884 | AUDIT-0295-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Attestation/StellaOps.Excititor.Attestation.csproj - TEST |
| 883 | AUDIT-0295-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Attestation/StellaOps.Excititor.Attestation.csproj - MAINT |
| 884 | AUDIT-0295-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Attestation/StellaOps.Excititor.Attestation.csproj - TEST |
| 885 | AUDIT-0295-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Attestation/StellaOps.Excititor.Attestation.csproj - APPLY |
| 886 | AUDIT-0296-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Attestation.Tests/StellaOps.Excititor.Attestation.Tests.csproj - MAINT |
| 887 | AUDIT-0296-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Attestation.Tests/StellaOps.Excititor.Attestation.Tests.csproj - TEST |
| 886 | AUDIT-0296-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Attestation.Tests/StellaOps.Excititor.Attestation.Tests.csproj - MAINT |
| 887 | AUDIT-0296-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Attestation.Tests/StellaOps.Excititor.Attestation.Tests.csproj - TEST |
| 888 | AUDIT-0296-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Attestation.Tests/StellaOps.Excititor.Attestation.Tests.csproj - APPLY |
| 889 | AUDIT-0297-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/StellaOps.Excititor.Connectors.Abstractions.csproj - MAINT |
| 890 | AUDIT-0297-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/StellaOps.Excititor.Connectors.Abstractions.csproj - TEST |
| 889 | AUDIT-0297-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/StellaOps.Excititor.Connectors.Abstractions.csproj - MAINT |
| 890 | AUDIT-0297-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/StellaOps.Excititor.Connectors.Abstractions.csproj - TEST |
| 891 | AUDIT-0297-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/StellaOps.Excititor.Connectors.Abstractions.csproj - APPLY |
| 892 | AUDIT-0298-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/StellaOps.Excititor.Connectors.Cisco.CSAF.csproj - MAINT |
| 893 | AUDIT-0298-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/StellaOps.Excititor.Connectors.Cisco.CSAF.csproj - TEST |
| 892 | AUDIT-0298-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/StellaOps.Excititor.Connectors.Cisco.CSAF.csproj - MAINT |
| 893 | AUDIT-0298-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/StellaOps.Excititor.Connectors.Cisco.CSAF.csproj - TEST |
| 894 | AUDIT-0298-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/StellaOps.Excititor.Connectors.Cisco.CSAF.csproj - APPLY |
| 895 | AUDIT-0299-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests.csproj - MAINT |
| 896 | AUDIT-0299-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests.csproj - TEST |
| 895 | AUDIT-0299-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests.csproj - MAINT |
| 896 | AUDIT-0299-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests.csproj - TEST |
| 897 | AUDIT-0299-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests/StellaOps.Excititor.Connectors.Cisco.CSAF.Tests.csproj - APPLY |
| 898 | AUDIT-0300-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/StellaOps.Excititor.Connectors.MSRC.CSAF.csproj - MAINT |
| 899 | AUDIT-0300-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/StellaOps.Excititor.Connectors.MSRC.CSAF.csproj - TEST |
| 898 | AUDIT-0300-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/StellaOps.Excititor.Connectors.MSRC.CSAF.csproj - MAINT |
| 899 | AUDIT-0300-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/StellaOps.Excititor.Connectors.MSRC.CSAF.csproj - TEST |
| 900 | AUDIT-0300-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/StellaOps.Excititor.Connectors.MSRC.CSAF.csproj - APPLY |
| 901 | AUDIT-0301-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests.csproj - MAINT |
| 902 | AUDIT-0301-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests.csproj - TEST |
| 901 | AUDIT-0301-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests.csproj - MAINT |
| 902 | AUDIT-0301-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests.csproj - TEST |
| 903 | AUDIT-0301-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests/StellaOps.Excititor.Connectors.MSRC.CSAF.Tests.csproj - APPLY |
| 904 | AUDIT-0302-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.csproj - MAINT |
| 905 | AUDIT-0302-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.csproj - TEST |
| 904 | AUDIT-0302-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.csproj - MAINT |
| 905 | AUDIT-0302-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.csproj - TEST |
| 906 | AUDIT-0302-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.csproj - APPLY |
| 907 | AUDIT-0303-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests.csproj - MAINT |
| 908 | AUDIT-0303-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests.csproj - TEST |
| 907 | AUDIT-0303-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests.csproj - MAINT |
| 908 | AUDIT-0303-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests.csproj - TEST |
| 909 | AUDIT-0303-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests.csproj - APPLY |
| 910 | AUDIT-0304-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/StellaOps.Excititor.Connectors.Oracle.CSAF.csproj - MAINT |
| 911 | AUDIT-0304-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/StellaOps.Excititor.Connectors.Oracle.CSAF.csproj - TEST |
| 910 | AUDIT-0304-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/StellaOps.Excititor.Connectors.Oracle.CSAF.csproj - MAINT |
| 911 | AUDIT-0304-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/StellaOps.Excititor.Connectors.Oracle.CSAF.csproj - TEST |
| 912 | AUDIT-0304-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/StellaOps.Excititor.Connectors.Oracle.CSAF.csproj - APPLY |
| 913 | AUDIT-0305-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests.csproj - MAINT |
| 914 | AUDIT-0305-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests.csproj - TEST |
| 913 | AUDIT-0305-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests.csproj - MAINT |
| 914 | AUDIT-0305-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests.csproj - TEST |
| 915 | AUDIT-0305-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests/StellaOps.Excititor.Connectors.Oracle.CSAF.Tests.csproj - APPLY |
| 916 | AUDIT-0306-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/StellaOps.Excititor.Connectors.RedHat.CSAF.csproj - MAINT |
| 917 | AUDIT-0306-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/StellaOps.Excititor.Connectors.RedHat.CSAF.csproj - TEST |
| 916 | AUDIT-0306-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/StellaOps.Excititor.Connectors.RedHat.CSAF.csproj - MAINT |
| 917 | AUDIT-0306-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/StellaOps.Excititor.Connectors.RedHat.CSAF.csproj - TEST |
| 918 | AUDIT-0306-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/StellaOps.Excititor.Connectors.RedHat.CSAF.csproj - APPLY |
| 919 | AUDIT-0307-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests.csproj - MAINT |
| 920 | AUDIT-0307-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests.csproj - TEST |
| 919 | AUDIT-0307-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests.csproj - MAINT |
| 920 | AUDIT-0307-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests.csproj - TEST |
| 921 | AUDIT-0307-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests/StellaOps.Excititor.Connectors.RedHat.CSAF.Tests.csproj - APPLY |
| 922 | AUDIT-0308-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.csproj - MAINT |
| 923 | AUDIT-0308-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.csproj - TEST |
| 922 | AUDIT-0308-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.csproj - MAINT |
| 923 | AUDIT-0308-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.csproj - TEST |
| 924 | AUDIT-0308-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.csproj - APPLY |
| 925 | AUDIT-0309-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests.csproj - MAINT |
| 926 | AUDIT-0309-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests.csproj - TEST |
| 925 | AUDIT-0309-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests.csproj - MAINT |
| 926 | AUDIT-0309-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests.csproj - TEST |
| 927 | AUDIT-0309-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests.csproj - APPLY |
| 928 | AUDIT-0310-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/StellaOps.Excititor.Connectors.Ubuntu.CSAF.csproj - MAINT |
| 929 | AUDIT-0310-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/StellaOps.Excititor.Connectors.Ubuntu.CSAF.csproj - TEST |
| 928 | AUDIT-0310-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/StellaOps.Excititor.Connectors.Ubuntu.CSAF.csproj - MAINT |
| 929 | AUDIT-0310-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/StellaOps.Excititor.Connectors.Ubuntu.CSAF.csproj - TEST |
| 930 | AUDIT-0310-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/StellaOps.Excititor.Connectors.Ubuntu.CSAF.csproj - APPLY |
| 931 | AUDIT-0311-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests.csproj - MAINT |
| 932 | AUDIT-0311-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests.csproj - TEST |
| 931 | AUDIT-0311-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests.csproj - MAINT |
| 932 | AUDIT-0311-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests.csproj - TEST |
| 933 | AUDIT-0311-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests/StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests.csproj - APPLY |
| 934 | AUDIT-0312-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core/StellaOps.Excititor.Core.csproj - MAINT |
| 935 | AUDIT-0312-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core/StellaOps.Excititor.Core.csproj - TEST |
| 934 | AUDIT-0312-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core/StellaOps.Excititor.Core.csproj - MAINT |
| 935 | AUDIT-0312-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core/StellaOps.Excititor.Core.csproj - TEST |
| 936 | AUDIT-0312-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core/StellaOps.Excititor.Core.csproj - APPLY |
| 937 | AUDIT-0313-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj - MAINT |
| 938 | AUDIT-0313-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj - TEST |
| 937 | AUDIT-0313-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj - MAINT |
| 938 | AUDIT-0313-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj - TEST |
| 939 | AUDIT-0313-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj - APPLY |
| 940 | AUDIT-0314-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Core.UnitTests/StellaOps.Excititor.Core.UnitTests.csproj - MAINT |
| 941 | AUDIT-0314-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Core.UnitTests/StellaOps.Excititor.Core.UnitTests.csproj - TEST |
| 940 | AUDIT-0314-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Core.UnitTests/StellaOps.Excititor.Core.UnitTests.csproj - MAINT |
| 941 | AUDIT-0314-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Core.UnitTests/StellaOps.Excititor.Core.UnitTests.csproj - TEST |
| 942 | AUDIT-0314-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Core.UnitTests/StellaOps.Excititor.Core.UnitTests.csproj - APPLY |
| 943 | AUDIT-0315-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Export/StellaOps.Excititor.Export.csproj - MAINT |
| 944 | AUDIT-0315-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Export/StellaOps.Excititor.Export.csproj - TEST |
| 943 | AUDIT-0315-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Export/StellaOps.Excititor.Export.csproj - MAINT |
| 944 | AUDIT-0315-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Export/StellaOps.Excititor.Export.csproj - TEST |
| 945 | AUDIT-0315-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Export/StellaOps.Excititor.Export.csproj - APPLY |
| 946 | AUDIT-0316-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Export.Tests/StellaOps.Excititor.Export.Tests.csproj - MAINT |
| 947 | AUDIT-0316-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Export.Tests/StellaOps.Excititor.Export.Tests.csproj - TEST |
| 946 | AUDIT-0316-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Export.Tests/StellaOps.Excititor.Export.Tests.csproj - MAINT |
| 947 | AUDIT-0316-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Export.Tests/StellaOps.Excititor.Export.Tests.csproj - TEST |
| 948 | AUDIT-0316-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Export.Tests/StellaOps.Excititor.Export.Tests.csproj - APPLY |
| 949 | AUDIT-0317-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/StellaOps.Excititor.Formats.CSAF.csproj - MAINT |
| 950 | AUDIT-0317-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/StellaOps.Excititor.Formats.CSAF.csproj - TEST |
| 949 | AUDIT-0317-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/StellaOps.Excititor.Formats.CSAF.csproj - MAINT |
| 950 | AUDIT-0317-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/StellaOps.Excititor.Formats.CSAF.csproj - TEST |
| 951 | AUDIT-0317-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/StellaOps.Excititor.Formats.CSAF.csproj - APPLY |
| 952 | AUDIT-0318-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.CSAF.Tests/StellaOps.Excititor.Formats.CSAF.Tests.csproj - MAINT |
| 953 | AUDIT-0318-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.CSAF.Tests/StellaOps.Excititor.Formats.CSAF.Tests.csproj - TEST |
| 952 | AUDIT-0318-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.CSAF.Tests/StellaOps.Excititor.Formats.CSAF.Tests.csproj - MAINT |
| 953 | AUDIT-0318-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.CSAF.Tests/StellaOps.Excititor.Formats.CSAF.Tests.csproj - TEST |
| 954 | AUDIT-0318-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.CSAF.Tests/StellaOps.Excititor.Formats.CSAF.Tests.csproj - APPLY |
| 955 | AUDIT-0319-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/StellaOps.Excititor.Formats.CycloneDX.csproj - MAINT |
| 956 | AUDIT-0319-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/StellaOps.Excititor.Formats.CycloneDX.csproj - TEST |
| 955 | AUDIT-0319-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/StellaOps.Excititor.Formats.CycloneDX.csproj - MAINT |
| 956 | AUDIT-0319-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/StellaOps.Excititor.Formats.CycloneDX.csproj - TEST |
| 957 | AUDIT-0319-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/StellaOps.Excititor.Formats.CycloneDX.csproj - APPLY |
| 958 | AUDIT-0320-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.CycloneDX.Tests/StellaOps.Excititor.Formats.CycloneDX.Tests.csproj - MAINT |
| 959 | AUDIT-0320-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.CycloneDX.Tests/StellaOps.Excititor.Formats.CycloneDX.Tests.csproj - TEST |
| 958 | AUDIT-0320-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.CycloneDX.Tests/StellaOps.Excititor.Formats.CycloneDX.Tests.csproj - MAINT |
| 959 | AUDIT-0320-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.CycloneDX.Tests/StellaOps.Excititor.Formats.CycloneDX.Tests.csproj - TEST |
| 960 | AUDIT-0320-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.CycloneDX.Tests/StellaOps.Excititor.Formats.CycloneDX.Tests.csproj - APPLY |
| 961 | AUDIT-0321-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/StellaOps.Excititor.Formats.OpenVEX.csproj - MAINT |
| 962 | AUDIT-0321-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/StellaOps.Excititor.Formats.OpenVEX.csproj - TEST |
| 961 | AUDIT-0321-M | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/StellaOps.Excititor.Formats.OpenVEX.csproj - MAINT |
| 962 | AUDIT-0321-T | DONE | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/StellaOps.Excititor.Formats.OpenVEX.csproj - TEST |
| 963 | AUDIT-0321-A | TODO | Approval | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/StellaOps.Excititor.Formats.OpenVEX.csproj - APPLY |
| 964 | AUDIT-0322-M | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.OpenVEX.Tests/StellaOps.Excititor.Formats.OpenVEX.Tests.csproj - MAINT |
| 965 | AUDIT-0322-T | TODO | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.OpenVEX.Tests/StellaOps.Excititor.Formats.OpenVEX.Tests.csproj - TEST |
| 964 | AUDIT-0322-M | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.OpenVEX.Tests/StellaOps.Excititor.Formats.OpenVEX.Tests.csproj - MAINT |
| 965 | AUDIT-0322-T | DONE | Report | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.OpenVEX.Tests/StellaOps.Excititor.Formats.OpenVEX.Tests.csproj - TEST |
| 966 | AUDIT-0322-A | DONE | Waived (test project) | Guild | src/Excititor/__Tests/StellaOps.Excititor.Formats.OpenVEX.Tests/StellaOps.Excititor.Formats.OpenVEX.Tests.csproj - APPLY |
| 967 | AUDIT-0323-M | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Persistence/StellaOps.Excititor.Persistence.csproj - MAINT |
| 968 | AUDIT-0323-T | TODO | Report | Guild | src/Excititor/__Libraries/StellaOps.Excititor.Persistence/StellaOps.Excititor.Persistence.csproj - TEST |
@@ -2160,6 +2160,83 @@ Bulk task definitions (applies to every project row below):
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-02 | Completed AUDIT-0034-A (AirGap.Time apply fixes) and updated tests. | Codex |
| 2026-01-02 | Completed AUDIT-0036-A (AOC guard library apply fixes) and updated tests. | Codex |
| 2026-01-02 | Completed AUDIT-0037-A (AOC analyzer apply fixes) and updated tests. | Codex |
| 2026-01-02 | Completed AUDIT-0039-A (AOC ASP.NET Core apply fixes) and updated tests. | Codex |
| 2026-01-02 | Completed AUDIT-0043-A (Attestation apply fixes) and updated tests. | Codex |
| 2026-01-02 | Created TASKS.md for Excititor Core library. | Planning |
| 2026-01-02 | Created AGENTS.md and TASKS.md for Excititor Core tests project. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0312; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0313; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created AGENTS.md and TASKS.md for Excititor Core unit tests project. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0314; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created TASKS.md for Excititor Export library. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0315; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created AGENTS.md and TASKS.md for Excititor Export tests project. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0316; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created TASKS.md for Excititor Formats CSAF library. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0317; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created AGENTS.md and TASKS.md for Excititor Formats CSAF tests project. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0318; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created TASKS.md for Excititor Formats CycloneDX library. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0319; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created AGENTS.md and TASKS.md for Excititor Formats CycloneDX tests project. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0320; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created TASKS.md for Excititor Formats OpenVEX library. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0321; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created AGENTS.md and TASKS.md for Excititor Formats OpenVEX tests project. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0322; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created TASKS.md for Excititor Connectors Ubuntu CSAF library. | Planning |
| 2026-01-02 | Created AGENTS.md and TASKS.md for Excititor Connectors Ubuntu CSAF tests project. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0310; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0311; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created TASKS.md for Excititor Connectors SUSE Rancher VEX Hub library. | Planning |
| 2026-01-02 | Created AGENTS.md and TASKS.md for Excititor Connectors SUSE Rancher VEX Hub tests project. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0308; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0309; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created TASKS.md for Excititor Connectors RedHat CSAF library. | Planning |
| 2026-01-02 | Created AGENTS.md and TASKS.md for Excititor Connectors RedHat CSAF tests project. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0306; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0307; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created TASKS.md for Excititor Connectors Oracle CSAF library. | Planning |
| 2026-01-02 | Created AGENTS.md and TASKS.md for Excititor Connectors Oracle CSAF tests project. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0304; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0305; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created TASKS.md for Excititor Connectors OCI OpenVEX Attest library. | Planning |
| 2026-01-02 | Created AGENTS.md and TASKS.md for Excititor Connectors OCI OpenVEX Attest tests project. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0302; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0303; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created TASKS.md for Excititor Connectors MSRC CSAF library. | Planning |
| 2026-01-02 | Created AGENTS.md and TASKS.md for Excititor Connectors MSRC CSAF tests project. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0300; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0301; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created AGENTS.md and TASKS.md for Excititor Connectors Cisco CSAF tests project. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0299; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Created TASKS.md for Excititor Connectors Cisco CSAF library. | Planning |
| 2026-01-02 | Completed MAINT/TEST audits for AUDIT-0298; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created TASKS.md for Excititor Connectors Abstractions library. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0297; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created AGENTS.md and TASKS.md for Excititor Attestation tests project. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0296; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created TASKS.md for Excititor Attestation library. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0295; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created AGENTS.md and TASKS.md for Excititor S3 Artifact Store tests project. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0294; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created AGENTS.md and TASKS.md for Excititor S3 Artifact Store library. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0293; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created AGENTS.md and TASKS.md for Evidence Locker Worker project. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0292; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created AGENTS.md and TASKS.md for Evidence Locker WebService project. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0291; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created AGENTS.md and TASKS.md for Evidence Locker Tests project. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0290; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created AGENTS.md and TASKS.md for Evidence Locker Infrastructure library. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0289; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created AGENTS.md and TASKS.md for Evidence Locker Core library. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0288; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created TASKS.md for Evidence Locker service. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0287; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created AGENTS.md and TASKS.md for Evidence tests. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0286; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created AGENTS.md and TASKS.md for Evidence Persistence tests. | Planning |
@@ -2483,6 +2560,7 @@ Bulk task definitions (applies to every project row below):
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0047 to AUDIT-0048; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created AGENTS.md and TASKS.md for Attestor bundle library and tests. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0045 to AUDIT-0046; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2026-01-02 | Completed AUDIT-0045-A (bundle validation, verifier hardening, tests). | Guild |
| 2025-12-30 | Created AGENTS.md and TASKS.md for architecture tests and attestation projects. | Planning |
| 2025-12-30 | Completed MAINT/TEST audits for AUDIT-0042 to AUDIT-0044; report updated in docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md. | Planning |
| 2025-12-30 | Created AGENTS.md and TASKS.md for AOC module and subprojects. | Planning |

311
docs/implplan/SPRINT_20251229_049_BE_csproj_audit_report.md
View File

File diff suppressed because one or more lines are too long

580
docs/implplan/SPRINT_20260102_001_BE_binary_delta_signatures.md Normal file
View File

@@ -0,0 +1,580 @@
# SPRINT_20260102_001_BE_binary_delta_signatures.md
## Sprint Overview
| Field | Value |
|-------|-------|
| **Sprint ID** | SPRINT_20260102_001_BE |
| **Title** | Binary Delta Signatures for Patch Detection |
| **Working Directory** | `src/BinaryIndex/` |
| **Duration** | 4-6 weeks |
| **Dependencies** | None (foundational sprint) |
| **Advisory Source** | `docs/product-advisories/30-Dec-2025 - Binary Diff Signatures for Patch Detection.md` |
## Problem Statement
Vulnerability scanners today rely on version string comparison to determine if a package is vulnerable. But Linux distributions (RHEL, Debian, Ubuntu, SUSE, Alpine) routinely **backport** security fixes into older versions without bumping the upstream version number.
**Example:** OpenSSL 1.0.1e on RHEL 6 has Heartbleed patched, but upstream says `1.0.1e < 1.0.1g` (the fix version), so scanners flag it as vulnerable. This is **wrong**.
**Solution:** Examine the compiled binary itself. Hash the normalized code of affected functions. Compare against known "patched" and "vulnerable" signatures. This provides **cryptographic proof** the fix is present.
## Technical Design
### Disassembly Engine Selection
**Chosen: B2R2** (fully managed .NET, MIT license)
Rationale:
- **Purely managed (.NET)** - no P/Invoke, runs anywhere .NET runs
- **Multi-format** - ELF, PE, Mach-O (covers Linux, Windows, macOS)
- **Multi-ISA** - x86-64, ARM64 (covers server + Apple Silicon + ARM servers)
- **MIT license** - compatible with AGPL-3.0
- **Lifting capability** - can convert to IR for semantic normalization
- **Performance** - Second fastest after Iced in benchmarks
NuGet: `B2R2.FrontEnd.API` (targets net9.0, compatible with net10.0)
### Architecture
```
┌─────────────────────────────────────────────────────────────────┐
│ IDisassemblyEngine │
│ (abstraction over disassembly - hides F# from C# consumers) │
├─────────────────────────────────────────────────────────────────┤
│ B2R2DisassemblyEngine │ (future) IcedDisassemblyEngine │
│ - ELF/PE/Mach-O loading │ - x86-64 fast path only │
│ - x86-64 + ARM64 │ │
│ - IR lifting support │ │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ INormalizationPipeline │
│ Transforms raw instructions into deterministic, hashable form │
├─────────────────────────────────────────────────────────────────┤
│ Steps: │
│ 1. Apply relocations │
│ 2. Zero relocation targets / absolute addresses │
│ 3. Canonicalize NOP sleds → single NOP │
│ 4. Canonicalize PLT/GOT stubs → symbolic tokens │
│ 5. Normalize jump tables (relative deltas) │
│ 6. Zero padding bytes │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ IDeltaSignatureGenerator │
│ Produces deterministic signatures for functions/symbols │
├─────────────────────────────────────────────────────────────────┤
│ Outputs per symbol: │
│ - hash_hex (SHA-256 of normalized bytes) │
│ - size_bytes │
│ - cfg_bb_count (basic block count) │
│ - cfg_edge_hash (CFG structure hash) │
│ - chunk_hashes (rolling 2KB window hashes for resilience) │
└─────────────────────────────────────────────────────────────────┘
```
### Project Structure
```
src/BinaryIndex/
├── __Libraries/
│ ├── StellaOps.BinaryIndex.Disassembly/ # NEW - B2R2 wrapper
│ │ ├── IDisassemblyEngine.cs
│ │ ├── DisassembledInstruction.cs
│ │ ├── CodeRegion.cs
│ │ ├── BinaryInfo.cs
│ │ └── B2R2/
│ │ ├── B2R2DisassemblyEngine.cs
│ │ ├── B2R2InstructionMapper.cs
│ │ └── B2R2LiftingSupport.cs
│ │
│ ├── StellaOps.BinaryIndex.Normalization/ # NEW - Instruction normalization
│ │ ├── INormalizationPipeline.cs
│ │ ├── NormalizedFunction.cs
│ │ ├── NormalizationOptions.cs
│ │ ├── X64/
│ │ │ ├── X64NormalizationPipeline.cs
│ │ │ ├── X64AddressNormalizer.cs
│ │ │ ├── X64NopCanonicalizer.cs
│ │ │ └── X64PltGotNormalizer.cs
│ │ └── Arm64/
│ │ ├── Arm64NormalizationPipeline.cs
│ │ └── Arm64AddressNormalizer.cs
│ │
│ ├── StellaOps.BinaryIndex.DeltaSig/ # NEW - Delta signature logic
│ │ ├── IDeltaSignatureGenerator.cs
│ │ ├── DeltaSignature.cs
│ │ ├── SymbolSignature.cs
│ │ ├── SignatureRecipe.cs
│ │ ├── DeltaSignatureGenerator.cs
│ │ ├── DeltaSignatureMatcher.cs
│ │ └── Authoring/
│ │ ├── SignatureAuthoringService.cs
│ │ └── VulnPatchedPairExtractor.cs
│ │
│ ├── StellaOps.BinaryIndex.DeltaSig.Persistence/ # NEW - Storage
│ │ ├── IDeltaSignatureStore.cs
│ │ ├── DeltaSignatureEntity.cs
│ │ └── Postgres/
│ │ └── PostgresDeltaSignatureStore.cs
│ │
│ └── StellaOps.BinaryIndex.Fingerprints/ # EXISTING - extend
│ └── Generators/
│ └── BasicBlockFingerprintGenerator.cs # Refactor to use IDisassemblyEngine
├── __Tests/
│ ├── StellaOps.BinaryIndex.Disassembly.Tests/
│ │ ├── B2R2DisassemblyEngineTests.cs
│ │ ├── Fixtures/
│ │ │ ├── test_x64.elf # Small test ELF
│ │ │ ├── test_arm64.elf
│ │ │ └── test_x64.pe
│ │ └── Properties/
│ │ └── NormalizationPropertyTests.cs # FsCheck property tests
│ │
│ ├── StellaOps.BinaryIndex.DeltaSig.Tests/
│ │ ├── DeltaSignatureGeneratorTests.cs
│ │ ├── DeltaSignatureMatcherTests.cs
│ │ └── Golden/
│ │ └── openssl_heartbleed.golden.json # Known CVE signatures
│ │
│ └── StellaOps.BinaryIndex.Integration.Tests/
│ └── EndToEndDeltaSigTests.cs
└── StellaOps.BinaryIndex.Cli/ # NEW - CLI commands
├── Commands/
│ ├── ExtractCommand.cs
│ ├── AuthorCommand.cs
│ ├── SignCommand.cs
│ ├── VerifyCommand.cs
│ ├── MatchCommand.cs
│ ├── PackCommand.cs
│ └── InspectCommand.cs
└── Program.cs
```
### Database Schema
```sql
-- File: migrations/binaryindex/V001__delta_signatures.sql
CREATE SCHEMA IF NOT EXISTS binaryindex;
-- Delta signatures for CVE fixes
CREATE TABLE binaryindex.delta_signature (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-- CVE identification
cve_id VARCHAR(20) NOT NULL,
-- Package targeting
package_name VARCHAR(255) NOT NULL,
soname VARCHAR(255),
-- Architecture targeting
arch VARCHAR(20) NOT NULL, -- x86_64, aarch64
abi VARCHAR(20) NOT NULL DEFAULT 'gnu', -- gnu, musl, android
-- Normalization recipe (for reproducibility)
recipe_id VARCHAR(50) NOT NULL, -- e.g., 'elf.delta.norm.v1'
recipe_version VARCHAR(10) NOT NULL, -- e.g., '1.0.0'
-- Symbol-level signature
symbol_name VARCHAR(255) NOT NULL,
scope VARCHAR(20) NOT NULL DEFAULT '.text', -- .text, .rodata
-- The signature hash
hash_alg VARCHAR(20) NOT NULL DEFAULT 'sha256',
hash_hex VARCHAR(64) NOT NULL,
size_bytes INT NOT NULL,
-- Enhanced signature data (optional, for resilience)
cfg_bb_count INT,
cfg_edge_hash VARCHAR(64),
chunk_hashes JSONB, -- Array of {offset, size, hash}
-- State: 'vulnerable' or 'patched'
signature_state VARCHAR(20) NOT NULL, -- 'vulnerable', 'patched'
-- Provenance
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
attestation_dsse BYTEA, -- DSSE envelope (optional)
-- Metadata
metadata JSONB,
CONSTRAINT uq_delta_sig_key UNIQUE (
cve_id, package_name, arch, abi, symbol_name,
recipe_version, signature_state
)
);
-- Indexes for efficient lookup
CREATE INDEX idx_delta_sig_cve ON binaryindex.delta_signature(cve_id);
CREATE INDEX idx_delta_sig_pkg ON binaryindex.delta_signature(package_name, soname);
CREATE INDEX idx_delta_sig_hash ON binaryindex.delta_signature(hash_hex);
CREATE INDEX idx_delta_sig_state ON binaryindex.delta_signature(signature_state);
-- Signature packs (offline bundles)
CREATE TABLE binaryindex.signature_pack (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
pack_id VARCHAR(100) NOT NULL UNIQUE, -- e.g., 'stellaops-deltasig-2026-01'
schema_version VARCHAR(10) NOT NULL DEFAULT '1.0',
signature_count INT NOT NULL,
composite_digest VARCHAR(64) NOT NULL, -- SHA-256 of all signatures
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
attestation_dsse BYTEA,
metadata JSONB
);
-- Many-to-many: signatures in packs
CREATE TABLE binaryindex.signature_pack_entry (
pack_id UUID NOT NULL REFERENCES binaryindex.signature_pack(id) ON DELETE CASCADE,
signature_id UUID NOT NULL REFERENCES binaryindex.delta_signature(id) ON DELETE CASCADE,
PRIMARY KEY (pack_id, signature_id)
);
```
### Key Interfaces
```csharp
// src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly/IDisassemblyEngine.cs
namespace StellaOps.BinaryIndex.Disassembly;
/// <summary>
/// Abstraction over binary disassembly engines.
/// Hides implementation details (B2R2's F#) from C# consumers.
/// </summary>
public interface IDisassemblyEngine
{
/// <summary>
/// Loads a binary from a stream and detects format/architecture.
/// </summary>
BinaryInfo LoadBinary(Stream stream, string? hint = null);
/// <summary>
/// Gets executable code regions (sections) from the binary.
/// </summary>
IEnumerable<CodeRegion> GetCodeRegions(BinaryInfo binary);
/// <summary>
/// Gets symbols (functions) from the binary.
/// </summary>
IEnumerable<SymbolInfo> GetSymbols(BinaryInfo binary);
/// <summary>
/// Disassembles a code region to instructions.
/// </summary>
IEnumerable<DisassembledInstruction> Disassemble(
BinaryInfo binary,
CodeRegion region);
/// <summary>
/// Disassembles a specific symbol/function.
/// </summary>
IEnumerable<DisassembledInstruction> DisassembleSymbol(
BinaryInfo binary,
SymbolInfo symbol);
/// <summary>
/// Supported architectures.
/// </summary>
IReadOnlySet<string> SupportedArchitectures { get; }
/// <summary>
/// Supported binary formats.
/// </summary>
IReadOnlySet<string> SupportedFormats { get; }
}
public sealed record BinaryInfo(
string Format, // ELF, PE, MachO
string Architecture, // x86_64, aarch64
string? Abi, // gnu, musl
string? BuildId,
IReadOnlyDictionary<string, object> Metadata);
public sealed record CodeRegion(
string Name, // .text, .rodata
ulong VirtualAddress,
ulong FileOffset,
ulong Size,
bool IsExecutable,
bool IsReadable,
bool IsWritable);
public sealed record SymbolInfo(
string Name,
ulong Address,
ulong Size,
SymbolType Type,
SymbolBinding Binding,
string? Section);
public sealed record DisassembledInstruction(
ulong Address,
byte[] RawBytes,
string Mnemonic,
string OperandsText,
InstructionKind Kind,
IReadOnlyList<Operand> Operands);
public enum InstructionKind
{
Unknown,
Arithmetic,
Logic,
Move,
Load,
Store,
Branch,
ConditionalBranch,
Call,
Return,
Nop,
Syscall,
Interrupt
}
```
```csharp
// src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Normalization/INormalizationPipeline.cs
namespace StellaOps.BinaryIndex.Normalization;
/// <summary>
/// Normalizes disassembled instructions for deterministic hashing.
/// Removes compiler/linker variance to enable cross-build comparison.
/// </summary>
public interface INormalizationPipeline
{
/// <summary>
/// Normalizes a sequence of instructions.
/// </summary>
NormalizedFunction Normalize(
IEnumerable<DisassembledInstruction> instructions,
NormalizationOptions options);
/// <summary>
/// Gets the recipe identifier for this pipeline.
/// </summary>
string RecipeId { get; }
/// <summary>
/// Gets the recipe version.
/// </summary>
string RecipeVersion { get; }
}
public sealed record NormalizationOptions(
bool ZeroAbsoluteAddresses = true,
bool ZeroRelocations = true,
bool CanonicalizeNops = true,
bool CanonicalizePltGot = true,
bool CanonicalizeJumpTables = true,
bool ZeroPadding = true,
bool PreserveCallTargets = false);
public sealed record NormalizedFunction(
string RecipeId,
string RecipeVersion,
ImmutableArray<NormalizedInstruction> Instructions,
int OriginalSize,
int NormalizedSize);
public sealed record NormalizedInstruction(
InstructionKind Kind,
string NormalizedMnemonic,
ImmutableArray<NormalizedOperand> Operands,
byte[] NormalizedBytes);
```
```csharp
// src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/IDeltaSignatureGenerator.cs
namespace StellaOps.BinaryIndex.DeltaSig;
/// <summary>
/// Generates delta signatures from normalized functions.
/// </summary>
public interface IDeltaSignatureGenerator
{
/// <summary>
/// Generates a signature for a single symbol.
/// </summary>
SymbolSignature GenerateSymbolSignature(
NormalizedFunction function,
string symbolName,
string scope,
SignatureOptions? options = null);
/// <summary>
/// Generates signatures for multiple symbols in a binary.
/// </summary>
Task<DeltaSignature> GenerateSignaturesAsync(
Stream binaryStream,
DeltaSignatureRequest request,
CancellationToken ct = default);
}
public sealed record DeltaSignatureRequest(
string Cve,
string Package,
string? Soname,
string Arch,
string Abi,
IReadOnlyList<string> TargetSymbols,
string SignatureState, // 'vulnerable' or 'patched'
SignatureOptions? Options = null);
public sealed record SignatureOptions(
bool IncludeCfg = true,
bool IncludeChunks = true,
int ChunkSize = 2048);
public sealed record DeltaSignature(
string Schema, // "stellaops.deltasig.v1"
string Cve,
PackageRef Package,
TargetRef Target,
NormalizationRef Normalization,
string SignatureState,
ImmutableArray<SymbolSignature> Symbols);
public sealed record PackageRef(string Name, string? Soname);
public sealed record TargetRef(string Arch, string Abi);
public sealed record NormalizationRef(string RecipeId, string RecipeVersion, ImmutableArray<string> Steps);
public sealed record SymbolSignature(
string Name,
string Scope,
string HashAlg,
string HashHex,
int SizeBytes,
int? CfgBbCount,
string? CfgEdgeHash,
ImmutableArray<ChunkHash>? Chunks);
public sealed record ChunkHash(int Offset, int Size, string HashHex);
```
### CLI Commands
```
stella deltasig extract
--binary <path> Path to ELF/PE/Mach-O binary
--symbols <name,...> Comma-separated symbol names to extract
--arch <arch> Architecture hint (x86_64, aarch64)
--out <path> Output JSON path
[--json] Machine-readable output
stella deltasig author
--vuln <path> Path to vulnerable binary
--patched <path> Path to patched binary
--cve <CVE-YYYY-NNNN> CVE identifier
--package <name> Package name
[--soname <name>] Shared object name
--arch <arch> Architecture
[--abi <abi>] ABI (default: gnu)
--out <path> Output directory for signature payloads
stella deltasig sign
--in <path> Input payload JSON
--key <path> Private key PEM
--out <path> Output DSSE envelope
[--alg <alg>] Algorithm (ecdsa-p256-sha256, rsa-pss-sha256)
stella deltasig verify
--in <path> Input DSSE envelope
--pub <path> Public key PEM
stella deltasig match
--binary <path> Binary to check
--sigpack <path> Signature pack (ZIP) or directory
[--cve <CVE>] Filter to specific CVE
[--json] Machine-readable output
stella deltasig pack
--in-dir <path> Directory containing *.dsse.json
--out <path> Output ZIP path
stella deltasig inspect
--in <path> Payload or envelope to inspect
```
## Delivery Tracker
| Task ID | Description | Status | Assignee | Notes |
|---------|-------------|--------|----------|-------|
| **DS-001** | Create `StellaOps.BinaryIndex.Disassembly` project | TODO | | |
| **DS-002** | Add B2R2.FrontEnd.API NuGet reference | TODO | | net9.0 compatible with net10.0 |
| **DS-003** | Implement `IDisassemblyEngine` interface | TODO | | |
| **DS-004** | Implement `B2R2DisassemblyEngine` | TODO | | Wrap F# in C# facade |
| **DS-005** | Add x86-64 instruction decoding | TODO | | |
| **DS-006** | Add ARM64 instruction decoding | TODO | | |
| **DS-007** | Add ELF format support | TODO | | |
| **DS-008** | Add PE format support | TODO | | Lower priority |
| **DS-009** | Add Mach-O format support | TODO | | Lower priority |
| **DS-010** | Create `StellaOps.BinaryIndex.Normalization` project | TODO | | |
| **DS-011** | Implement `INormalizationPipeline` interface | TODO | | |
| **DS-012** | Implement `X64NormalizationPipeline` | TODO | | |
| **DS-013** | Implement `Arm64NormalizationPipeline` | TODO | | |
| **DS-014** | Implement address/relocation zeroing | TODO | | |
| **DS-015** | Implement NOP canonicalization | TODO | | |
| **DS-016** | Implement PLT/GOT normalization | TODO | | |
| **DS-017** | Create `StellaOps.BinaryIndex.DeltaSig` project | TODO | | |
| **DS-018** | Implement `IDeltaSignatureGenerator` | TODO | | |
| **DS-019** | Implement `DeltaSignatureMatcher` | TODO | | |
| **DS-020** | Implement CFG extraction | TODO | | |
| **DS-021** | Implement rolling chunk hashes | TODO | | |
| **DS-022** | Create `StellaOps.BinaryIndex.DeltaSig.Persistence` | TODO | | |
| **DS-023** | Add PostgreSQL schema migration | TODO | | |
| **DS-024** | Implement `PostgresDeltaSignatureStore` | TODO | | |
| **DS-025** | Create `StellaOps.BinaryIndex.Cli` project | TODO | | |
| **DS-026** | Implement `extract` command | TODO | | |
| **DS-027** | Implement `author` command | TODO | | |
| **DS-028** | Implement `sign` command | TODO | | Reuse Attestor DSSE |
| **DS-029** | Implement `verify` command | TODO | | |
| **DS-030** | Implement `match` command | TODO | | |
| **DS-031** | Implement `pack` command | TODO | | |
| **DS-032** | Implement `inspect` command | TODO | | |
| **DS-033** | Refactor `BasicBlockFingerprintGenerator` to use `IDisassemblyEngine` | TODO | | |
| **DS-034** | Unit tests for B2R2 wrapper | TODO | | |
| **DS-035** | Unit tests for normalization | TODO | | |
| **DS-036** | Unit tests for signature generation | TODO | | |
| **DS-037** | Property tests for normalization idempotency | TODO | | FsCheck |
| **DS-038** | Golden tests with known CVE signatures | TODO | | Heartbleed, etc. |
| **DS-039** | Integration tests end-to-end | TODO | | |
| **DS-040** | Scanner integration (match service) | TODO | | |
| **DS-041** | VEX evidence emission for backport detection | TODO | | |
| **DS-042** | Documentation: AGENTS.md for BinaryIndex | TODO | | |
| **DS-043** | Documentation: Architecture decision record | TODO | | |
## Decisions & Risks
| ID | Decision/Risk | Status | Notes |
|----|---------------|--------|-------|
| D-001 | Use B2R2 as primary disassembly engine | DECIDED | Fully managed, multi-arch, MIT license |
| D-002 | Wrap B2R2 F# in C# facade | DECIDED | Hide F# from rest of codebase |
| D-003 | Store signatures in PostgreSQL | DECIDED | Consistent with rest of platform |
| D-004 | Support offline signature packs | DECIDED | Critical for air-gapped deployments |
| R-001 | B2R2 is F# - may have learning curve | OPEN | Mitigated by thin wrapper |
| R-002 | Compiler optimization variance | OPEN | Mitigated by rolling chunk hashes |
| R-003 | LTO may change function layout | OPEN | Require multiple signature variants |
## Execution Log
| Date | Event | Notes |
|------|-------|-------|
| 2026-01-02 | Sprint created | Based on product advisory analysis |
## References
- [B2R2 GitHub](https://github.com/B2R2-org/B2R2)
- [B2R2 NuGet](https://www.nuget.org/packages/B2R2.FrontEnd.API/)
- [Product Advisory: Binary Diff Signatures](../product-advisories/30-Dec-2025%20-%20Binary%20Diff%20Signatures%20for%20Patch%20Detection.md)
- [Product Advisory: Golden Set for Patch Validation](../product-advisories/30-Dec-2025%20-%20Building%20a%20Golden%20Set%20for%20Patch%20Validation.md)

473
docs/implplan/SPRINT_20260102_002_BE_intoto_link_generation.md Normal file
View File

@@ -0,0 +1,473 @@
# SPRINT_20260102_002_BE_intoto_link_generation.md
## Sprint Overview
| Field | Value |
|-------|-------|
| **Sprint ID** | SPRINT_20260102_002_BE |
| **Title** | in-toto Link Generation for Supply Chain Provenance |
| **Working Directory** | `src/Attestor/` |
| **Duration** | 2-3 weeks |
| **Dependencies** | Existing DSSE infrastructure (complete) |
| **Advisory Source** | `docs/product-advisories/02-Dec-2025 - Designing offline DSSE + intoto attestations.md` |
## Problem Statement
StellaOps has robust DSSE signing and verification infrastructure, but lacks **in-toto link generation**. in-toto links record the **materials** (inputs), **products** (outputs), and **command** executed for each step in a supply chain. This is required for:
1. **SLSA compliance** - SLSA levels require provenance attestations
2. **Supply chain transparency** - Prove what went into a build/scan
3. **Audit trails** - Forensic analysis of build processes
4. **Policy enforcement** - Verify required steps were executed by authorized functionaries
### Current State
| Component | Status |
|-----------|--------|
| DSSE signing | ✅ Complete - Multiple implementations |
| DSSE verification | ✅ Complete - Offline capable |
| Rekor integration | ✅ Complete - Offline receipts supported |
| in-toto link generation | ❌ Missing |
| in-toto layout verification | ❌ Missing |
## Technical Design
### in-toto Link Predicate
Following the [in-toto attestation spec](https://github.com/in-toto/attestation/blob/main/spec/predicates/link.md):
```json
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
"name": "sbom.cdx.json",
"digest": { "sha256": "abc123..." }
}
],
"predicateType": "https://in-toto.io/Link/v1",
"predicate": {
"name": "scan",
"command": ["stella", "scan", "--image", "nginx:1.25"],
"materials": [
{
"uri": "oci://docker.io/library/nginx@sha256:...",
"digest": { "sha256": "..." }
}
],
"products": [
{
"uri": "file://sbom.cdx.json",
"digest": { "sha256": "..." }
},
{
"uri": "file://vulns.json",
"digest": { "sha256": "..." }
}
],
"byproducts": {
"return-value": 0,
"stderr": "",
"stdout": ""
},
"environment": {
"STELLAOPS_VERSION": "2026.01",
"SCANNER_VERSION": "1.5.0"
}
}
}
```
### Architecture
```
┌─────────────────────────────────────────────────────────────────┐
│ ILinkRecorder │
│ Records step execution and emits in-toto link predicates │
├─────────────────────────────────────────────────────────────────┤
│ Methods: │
│ - RecordStepAsync(stepName, action, materials, products) │
│ - AddMaterial(uri, digest) │
│ - AddProduct(uri, digest) │
│ - SetCommand(args) │
│ - SetEnvironment(vars) │
│ - FinalizeLink() -> InTotoLink │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ IAttestationSigningService │
│ (EXISTING) - Signs link as DSSE envelope │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ ILayoutVerifier │
│ Verifies link chains against in-toto layouts │
├─────────────────────────────────────────────────────────────────┤
│ Methods: │
│ - Verify(layout, links, trustedKeys) -> VerificationResult │
│ - ValidateStepOrder(links, layout) │
│ - ValidateFunctionaries(links, layout) │
│ - ValidateMaterialProductChain(links) │
└─────────────────────────────────────────────────────────────────┘
```
### Project Structure
```
src/Attestor/
├── StellaOps.Attestor/
│ └── StellaOps.Attestor.Core/
│ ├── InToto/ # NEW
│ │ ├── ILinkRecorder.cs
│ │ ├── InTotoLink.cs
│ │ ├── InTotoLinkPredicate.cs
│ │ ├── InTotoMaterial.cs
│ │ ├── InTotoProduct.cs
│ │ ├── LinkRecorder.cs
│ │ ├── LinkBuilder.cs
│ │ └── Layout/
│ │ ├── ILayoutVerifier.cs
│ │ ├── InTotoLayout.cs
│ │ ├── LayoutStep.cs
│ │ ├── LayoutVerifier.cs
│ │ └── LayoutVerificationResult.cs
│ │
│ └── Signing/
│ └── DsseSigningService.cs # EXISTING - reuse
├── StellaOps.Attestor.Infrastructure/
│ └── InToto/ # NEW
│ ├── FileSystemLinkRecorder.cs # Computes digests from files
│ └── StreamLinkRecorder.cs # Computes digests from streams
└── StellaOps.Attestor.Core.Tests/
└── InToto/ # NEW
├── LinkRecorderTests.cs
├── LinkBuilderTests.cs
├── LayoutVerifierTests.cs
└── Fixtures/
├── sample_link.json
└── sample_layout.json
```
### Key Interfaces
```csharp
// src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto/ILinkRecorder.cs
namespace StellaOps.Attestor.Core.InToto;
/// <summary>
/// Records supply chain step execution as an in-toto link.
/// Use this to capture materials, products, and execution metadata.
/// </summary>
public interface ILinkRecorder
{
/// <summary>
/// Records a step execution and produces an in-toto link.
/// </summary>
/// <param name="stepName">Name of the step (e.g., "scan", "build", "sign")</param>
/// <param name="action">The action to execute</param>
/// <param name="materials">Paths/URIs to input files</param>
/// <param name="products">Paths/URIs to output files</param>
/// <param name="ct">Cancellation token</param>
/// <returns>The recorded in-toto link</returns>
Task<InTotoLink> RecordStepAsync(
string stepName,
Func<Task<int>> action,
IEnumerable<MaterialSpec> materials,
IEnumerable<ProductSpec> products,
CancellationToken ct = default);
/// <summary>
/// Records a step without executing an action (for external steps).
/// </summary>
Task<InTotoLink> RecordExternalStepAsync(
string stepName,
IEnumerable<string> command,
int returnValue,
IEnumerable<MaterialSpec> materials,
IEnumerable<ProductSpec> products,
CancellationToken ct = default);
}
/// <summary>
/// Specification for a material (input).
/// </summary>
public sealed record MaterialSpec(
string Uri,
string? LocalPath = null, // If set, compute digest from file
ArtifactDigests? Digest = null); // If set, use provided digest
/// <summary>
/// Specification for a product (output).
/// </summary>
public sealed record ProductSpec(
string Uri,
string? LocalPath = null,
ArtifactDigests? Digest = null);
/// <summary>
/// Cryptographic digests for an artifact.
/// </summary>
public sealed record ArtifactDigests(
string? Sha256 = null,
string? Sha512 = null,
string? Sha1 = null);
```
```csharp
// src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto/InTotoLink.cs
namespace StellaOps.Attestor.Core.InToto;
/// <summary>
/// An in-toto link attestation.
/// </summary>
public sealed record InTotoLink
{
public const string StatementType = "https://in-toto.io/Statement/v1";
public const string PredicateType = "https://in-toto.io/Link/v1";
/// <summary>
/// Subject artifacts (products of this step).
/// </summary>
public required ImmutableArray<InTotoSubject> Subjects { get; init; }
/// <summary>
/// The link predicate containing step details.
/// </summary>
public required InTotoLinkPredicate Predicate { get; init; }
/// <summary>
/// Serializes to in-toto statement JSON.
/// </summary>
public string ToJson(bool indented = false);
/// <summary>
/// Parses from in-toto statement JSON.
/// </summary>
public static InTotoLink FromJson(string json);
}
public sealed record InTotoSubject(
string Name,
ArtifactDigests Digest);
public sealed record InTotoLinkPredicate(
string Name,
ImmutableArray<string> Command,
ImmutableArray<InTotoMaterial> Materials,
ImmutableArray<InTotoProduct> Products,
InTotoByProducts ByProducts,
ImmutableDictionary<string, string> Environment);
public sealed record InTotoMaterial(
string Uri,
ArtifactDigests Digest);
public sealed record InTotoProduct(
string Uri,
ArtifactDigests Digest);
public sealed record InTotoByProducts(
int ReturnValue,
string? Stdout = null,
string? Stderr = null);
```
```csharp
// src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto/Layout/ILayoutVerifier.cs
namespace StellaOps.Attestor.Core.InToto.Layout;
/// <summary>
/// Verifies in-toto link chains against layouts.
/// </summary>
public interface ILayoutVerifier
{
/// <summary>
/// Verifies that links satisfy the layout constraints.
/// </summary>
/// <param name="layout">The layout defining required steps and rules</param>
/// <param name="links">The links to verify</param>
/// <param name="trustedKeys">Trusted functionary public keys</param>
/// <returns>Verification result with details</returns>
LayoutVerificationResult Verify(
InTotoLayout layout,
IEnumerable<SignedLink> links,
IEnumerable<TrustedKey> trustedKeys);
}
public sealed record SignedLink(
InTotoLink Link,
DsseEnvelope Envelope,
string SignerKeyId);
public sealed record TrustedKey(
string KeyId,
string PublicKeyPem,
ImmutableHashSet<string> AllowedSteps);
public sealed record LayoutVerificationResult(
bool Success,
ImmutableArray<LayoutViolation> Violations,
ImmutableArray<string> VerifiedSteps,
ImmutableDictionary<string, string> StepToFunctionary);
public sealed record LayoutViolation(
string StepName,
LayoutViolationType Type,
string Message);
public enum LayoutViolationType
{
MissingStep,
UnauthorizedFunctionary,
InvalidSignature,
MaterialMismatch,
ProductMismatch,
ThresholdNotMet
}
```
### Integration Points
#### Scanner Integration
```csharp
// Example: Scanner emits link for scan operation
public class ScanService
{
private readonly ILinkRecorder _linkRecorder;
private readonly IAttestationSigningService _signer;
public async Task<ScanResult> ScanWithProvenanceAsync(
string imageRef,
ScanOptions options,
CancellationToken ct)
{
var materials = new[]
{
new MaterialSpec($"oci://{imageRef}")
};
var sbomPath = Path.GetTempFileName();
var vulnsPath = Path.GetTempFileName();
var products = new[]
{
new ProductSpec("file://sbom.cdx.json", sbomPath),
new ProductSpec("file://vulns.json", vulnsPath)
};
// Record the scan step
var link = await _linkRecorder.RecordStepAsync(
stepName: "scan",
action: async () =>
{
var result = await PerformScanAsync(imageRef, options, sbomPath, vulnsPath, ct);
return result.ExitCode;
},
materials: materials,
products: products,
ct: ct);
// Sign as DSSE
var envelope = await _signer.SignAsync(
payloadType: InTotoLink.PredicateType,
payload: Encoding.UTF8.GetBytes(link.ToJson()),
ct: ct);
return new ScanResult
{
Sbom = await File.ReadAllTextAsync(sbomPath, ct),
Vulnerabilities = await File.ReadAllTextAsync(vulnsPath, ct),
ProvenanceLink = link,
SignedEnvelope = envelope
};
}
}
```
#### Attestor WebService Integration
```
POST /api/v1/attestor/links
Content-Type: application/json
{
"stepName": "build",
"command": ["make", "release"],
"materials": [
{"uri": "git://github.com/org/repo@abc123", "digest": {"sha256": "..."}}
],
"products": [
{"uri": "file://dist/app.tar.gz", "digest": {"sha256": "..."}}
],
"returnValue": 0
}
Response:
{
"link": { ... },
"envelope": { ... },
"rekorEntry": { ... }
}
```
## Delivery Tracker
| Task ID | Description | Status | Assignee | Notes |
|---------|-------------|--------|----------|-------|
| **IT-001** | Create `InToto/` directory structure in Attestor.Core | TODO | | |
| **IT-002** | Define `ILinkRecorder` interface | TODO | | |
| **IT-003** | Define `InTotoLink` and related models | TODO | | |
| **IT-004** | Define `InTotoLinkPredicate` model | TODO | | |
| **IT-005** | Implement `LinkRecorder` | TODO | | |
| **IT-006** | Implement `LinkBuilder` (fluent API) | TODO | | |
| **IT-007** | Implement digest computation for files | TODO | | SHA-256, SHA-512 |
| **IT-008** | Implement `FileSystemLinkRecorder` | TODO | | |
| **IT-009** | Implement `StreamLinkRecorder` | TODO | | |
| **IT-010** | Define `ILayoutVerifier` interface | TODO | | |
| **IT-011** | Define `InTotoLayout` model | TODO | | |
| **IT-012** | Implement `LayoutVerifier` | TODO | | |
| **IT-013** | Implement step order validation | TODO | | |
| **IT-014** | Implement functionary validation | TODO | | |
| **IT-015** | Implement material/product chain validation | TODO | | |
| **IT-016** | Implement threshold verification | TODO | | |
| **IT-017** | Unit tests for `LinkRecorder` | TODO | | |
| **IT-018** | Unit tests for `LinkBuilder` | TODO | | |
| **IT-019** | Unit tests for `LayoutVerifier` | TODO | | |
| **IT-020** | Integration with `IAttestationSigningService` | TODO | | |
| **IT-021** | Scanner integration | TODO | | Emit links for scans |
| **IT-022** | Attestor WebService endpoint | TODO | | POST /api/v1/attestor/links |
| **IT-023** | CLI command: `stella attestor link` | TODO | | |
| **IT-024** | Documentation: in-toto usage guide | TODO | | |
| **IT-025** | Golden tests with reference in-toto links | TODO | | |
## Decisions & Risks
| ID | Decision/Risk | Status | Notes |
|----|---------------|--------|-------|
| D-001 | Use in-toto attestation spec v1 | DECIDED | Current stable version |
| D-002 | DSSE as envelope format | DECIDED | Consistent with existing infrastructure |
| D-003 | Layout verification is optional phase | DECIDED | Links first, layouts second |
| R-001 | Layout complexity | OPEN | Start with simple single-step layouts |
| R-002 | Key management for functionaries | OPEN | Reuse existing Authority key management |
## Execution Log
| Date | Event | Notes |
|------|-------|-------|
| 2026-01-02 | Sprint created | Based on product advisory analysis |
## References
- [in-toto Specification](https://github.com/in-toto/attestation)
- [in-toto Link Predicate](https://github.com/in-toto/attestation/blob/main/spec/predicates/link.md)
- [SLSA Provenance](https://slsa.dev/provenance/v1)
- [Product Advisory: Offline DSSE + in-toto](../product-advisories/02-Dec-2025%20-%20Designing%20offline%20DSSE%20+%20intoto%20attestations.md)

588
docs/implplan/SPRINT_20260102_003_BE_vex_proof_objects.md Normal file
View File

@@ -0,0 +1,588 @@
# SPRINT_20260102_003_BE_vex_proof_objects.md
## Sprint Overview
| Field | Value |
|-------|-------|
| **Sprint ID** | SPRINT_20260102_003_BE |
| **Title** | VEX Proof Objects and Dependency Propagation |
| **Working Directory** | `src/VexLens/`, `src/Policy/` |
| **Duration** | 2-3 weeks |
| **Dependencies** | VexLens consensus engine (complete) |
| **Advisory Source** | `docs/product-advisories/30-Dec-2025 - Designing a Deterministic VEX Resolver.md` |
## Problem Statement
VexLens produces verdicts but **doesn't emit the full trace of how it got there**. For audits, compliance, and reproducibility, we need:
1. **Proof Objects** - Complete record of inputs, conditions, merge steps, and graph paths
2. **Propagation Rules** - Explicit rules for transitive impact (if dependency affected, is product affected?)
3. **Condition Evaluation** - Deterministic handling of platform, build flags, and feature context
### Current State
| Component | Status |
|-----------|--------|
| Lattice-based consensus | ✅ Complete - 4 modes, conflict detection |
| Trust weighting | ✅ Complete - Issuer, signature, freshness, format |
| VexConsensusResult | ⚠️ Partial - Has rationale but not full proof |
| Proof objects | ❌ Missing |
| Propagation rules | ❌ Missing |
| Condition evaluation | ❌ Missing |
## Technical Design
### VEX Proof Object Schema
```json
{
"schema": "stellaops.vex-proof.v1",
"proofId": "proof-2026-01-02T10:30:00Z-abc123",
"computedAt": "2026-01-02T10:30:00Z",
"verdict": {
"vulnerabilityId": "CVE-2023-12345",
"productKey": "pkg:npm/lodash@4.17.21",
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"confidence": 0.78
},
"inputs": {
"statements": [
{
"id": "stmt-001",
"source": "openvex",
"issuer": {
"id": "lodash-maintainers",
"category": "vendor",
"trustTier": "high"
},
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"weight": {
"composite": 0.85,
"factors": {
"issuer": 0.90,
"signature": 1.00,
"freshness": 0.95,
"format": 1.00,
"specificity": 0.70
}
},
"timestamp": "2023-06-15T10:30:00Z",
"signatureVerified": true
},
{
"id": "stmt-002",
"source": "nvd",
"issuer": {
"id": "nvd",
"category": "aggregator",
"trustTier": "medium"
},
"status": "affected",
"weight": {
"composite": 0.60,
"factors": {
"issuer": 0.70,
"signature": 0.50,
"freshness": 0.80,
"format": 0.95,
"specificity": 0.50
}
},
"timestamp": "2023-06-10T00:00:00Z",
"signatureVerified": false
}
],
"context": {
"platform": "linux/amd64",
"distro": null,
"features": ["esm"],
"buildFlags": [],
"evaluationTime": "2026-01-02T10:30:00Z"
}
},
"resolution": {
"mode": "lattice",
"qualifiedStatements": 2,
"disqualifiedStatements": 0,
"disqualificationReasons": [],
"latticeComputation": {
"ordering": ["unknown", "under_investigation", "affected", "fixed", "not_affected"],
"mergeSteps": [
{
"step": 1,
"statementId": "stmt-001",
"inputPosition": "not_affected",
"weight": 0.85,
"action": "initialize"
},
{
"step": 2,
"statementId": "stmt-002",
"inputPosition": "affected",
"weight": 0.60,
"action": "merge",
"conflict": true,
"resolution": "higher_weight_wins",
"resultPosition": "not_affected"
}
],
"finalPosition": "not_affected"
},
"conflictAnalysis": {
"hasConflicts": true,
"conflicts": [
{
"statementA": "stmt-001",
"statementB": "stmt-002",
"statusA": "not_affected",
"statusB": "affected",
"severity": "high",
"resolution": "weight_based",
"winner": "stmt-001"
}
],
"conflictPenalty": 0.10
}
},
"propagation": {
"applied": true,
"rules": [
{
"ruleId": "direct-dependency-affected",
"description": "If direct dependency is affected, product inherits affected unless overridden",
"triggered": false
}
],
"graphPaths": [
{
"root": "pkg:npm/my-app@1.0.0",
"path": ["lodash@4.17.21"],
"pathType": "direct_dependency",
"depth": 1
}
],
"inheritedStatus": null,
"overrideApplied": false
},
"conditions": {
"evaluated": [
{
"conditionId": "platform-linux",
"expression": "platform == 'linux/*'",
"result": true,
"contextValue": "linux/amd64"
}
],
"unevaluated": [],
"unknownCount": 0
},
"confidence": {
"score": 0.78,
"tier": "high",
"breakdown": {
"weightSpread": 0.85,
"conflictPenalty": -0.10,
"freshnessBonus": 0.03,
"signatureBonus": 0.05,
"conditionCoverage": 1.00
},
"improvements": [
{
"factor": "runtime",
"action": "Add runtime signal observation",
"potentialGain": 0.10
}
]
},
"digest": "sha256:abc123..."
}
```
### Architecture
```
┌─────────────────────────────────────────────────────────────────┐
│ VexConsensusEngine │
│ (EXISTING) - Extended to emit VexProof alongside verdict │
├─────────────────────────────────────────────────────────────────┤
│ Changes: │
│ - ComputeConsensusAsync returns VexResolutionResult │
│ - VexResolutionResult contains (Verdict, Proof, Conflicts) │
│ - Each merge step recorded in proof │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ IPropagationRuleEngine │
│ Computes transitive impact through dependency graph │
├─────────────────────────────────────────────────────────────────┤
│ Rules: │
│ - DirectDependencyAffected: inherit unless override │
│ - TransitiveDependencyAffected: flag but don't auto-inherit │
│ - DependencyFixed: allow parent NotAffected if code removed │
│ - DependencyNotAffected: inherit if dependency is leaf │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ IConditionEvaluator │
│ Evaluates VEX conditions against execution context │
├─────────────────────────────────────────────────────────────────┤
│ Context includes: │
│ - Platform (linux/amd64, darwin/arm64, windows/amd64) │
│ - Distro (rhel:9, debian:12, ubuntu:22.04) │
│ - Features (enabled feature flags) │
│ - BuildFlags (compiler options) │
│ - Runtime (eBPF signals, process info) │
└─────────────────────────────────────────────────────────────────┘
```
### Project Structure
```
src/VexLens/
├── StellaOps.VexLens/
│ ├── Consensus/
│ │ ├── VexConsensusEngine.cs # MODIFY - emit proof
│ │ ├── IVexConsensusEngine.cs # MODIFY - return VexResolutionResult
│ │ └── VexProofBuilder.cs # NEW
│ │
│ ├── Proof/ # NEW
│ │ ├── VexProof.cs
│ │ ├── VexProofInput.cs
│ │ ├── VexProofResolution.cs
│ │ ├── VexProofPropagation.cs
│ │ ├── VexProofConditions.cs
│ │ ├── VexProofConfidence.cs
│ │ └── VexProofSerializer.cs
│ │
│ ├── Propagation/ # NEW
│ │ ├── IPropagationRuleEngine.cs
│ │ ├── PropagationRule.cs
│ │ ├── PropagationResult.cs
│ │ ├── PropagationRuleEngine.cs
│ │ └── Rules/
│ │ ├── DirectDependencyAffectedRule.cs
│ │ ├── TransitiveDependencyRule.cs
│ │ ├── DependencyFixedRule.cs
│ │ └── DependencyNotAffectedRule.cs
│ │
│ └── Conditions/ # NEW
│ ├── IConditionEvaluator.cs
│ ├── EvaluationContext.cs
│ ├── ConditionResult.cs
│ ├── ConditionEvaluator.cs
│ └── Expressions/
│ ├── PlatformCondition.cs
│ ├── DistroCondition.cs
│ ├── FeatureCondition.cs
│ └── BuildFlagCondition.cs
├── __Tests/
│ └── StellaOps.VexLens.Tests/
│ ├── Proof/
│ │ ├── VexProofBuilderTests.cs
│ │ └── VexProofSerializerTests.cs
│ ├── Propagation/
│ │ ├── PropagationRuleEngineTests.cs
│ │ └── PropagationRulesTests.cs
│ ├── Conditions/
│ │ ├── ConditionEvaluatorTests.cs
│ │ └── ExpressionTests.cs
│ └── Integration/
│ └── ProofDeterminismTests.cs # Shuffle tests
src/Policy/
├── __Libraries/
│ └── StellaOps.Policy/
│ └── Vex/
│ └── VexProofGate.cs # NEW - gate on proof quality
```
### Key Interfaces
```csharp
// src/VexLens/StellaOps.VexLens/Consensus/IVexConsensusEngine.cs (MODIFIED)
namespace StellaOps.VexLens.Consensus;
public interface IVexConsensusEngine
{
/// <summary>
/// Computes consensus with full proof object.
/// </summary>
Task<VexResolutionResult> ComputeConsensusAsync(
VexConsensusRequest request,
CancellationToken cancellationToken = default);
// ... existing methods
}
/// <summary>
/// Complete result including verdict and proof.
/// </summary>
public sealed record VexResolutionResult(
VexConsensusResult Verdict,
VexProof Proof,
ImmutableArray<VexConflict> Conflicts);
```
```csharp
// src/VexLens/StellaOps.VexLens/Proof/VexProof.cs
namespace StellaOps.VexLens.Proof;
/// <summary>
/// Complete proof object for a VEX verdict.
/// Contains all inputs, conditions, merge steps, and graph paths.
/// </summary>
public sealed record VexProof
{
public const string SchemaVersion = "stellaops.vex-proof.v1";
public required string ProofId { get; init; }
public required DateTimeOffset ComputedAt { get; init; }
public required VexProofVerdict Verdict { get; init; }
public required VexProofInputs Inputs { get; init; }
public required VexProofResolution Resolution { get; init; }
public required VexProofPropagation Propagation { get; init; }
public required VexProofConditions Conditions { get; init; }
public required VexProofConfidence Confidence { get; init; }
/// <summary>
/// SHA-256 digest of canonical proof JSON.
/// </summary>
public required string Digest { get; init; }
/// <summary>
/// Serializes to canonical JSON.
/// </summary>
public string ToCanonicalJson();
/// <summary>
/// Computes digest of proof.
/// </summary>
public static string ComputeDigest(VexProof proof);
}
public sealed record VexProofVerdict(
string VulnerabilityId,
string ProductKey,
VexStatus Status,
string? Justification,
decimal Confidence);
public sealed record VexProofInputs(
ImmutableArray<VexProofStatement> Statements,
VexProofContext Context);
public sealed record VexProofStatement(
string Id,
string Source,
VexProofIssuer Issuer,
VexStatus Status,
string? Justification,
VexProofWeight Weight,
DateTimeOffset Timestamp,
bool SignatureVerified);
public sealed record VexProofResolution(
ConsensusMode Mode,
int QualifiedStatements,
int DisqualifiedStatements,
ImmutableArray<string> DisqualificationReasons,
VexProofLatticeComputation? LatticeComputation,
VexProofConflictAnalysis ConflictAnalysis);
public sealed record VexProofLatticeComputation(
ImmutableArray<VexStatus> Ordering,
ImmutableArray<VexProofMergeStep> MergeSteps,
VexStatus FinalPosition);
public sealed record VexProofMergeStep(
int Step,
string StatementId,
VexStatus InputPosition,
decimal Weight,
string Action,
bool Conflict,
string? Resolution,
VexStatus ResultPosition);
```
```csharp
// src/VexLens/StellaOps.VexLens/Propagation/IPropagationRuleEngine.cs
namespace StellaOps.VexLens.Propagation;
/// <summary>
/// Computes transitive impact through dependency graph.
/// </summary>
public interface IPropagationRuleEngine
{
/// <summary>
/// Propagates verdict through dependency graph.
/// </summary>
PropagationResult Propagate(
VexVerdict componentVerdict,
DependencyGraph graph,
PropagationPolicy policy);
/// <summary>
/// Gets all configured rules.
/// </summary>
IReadOnlyList<PropagationRule> GetRules();
}
public sealed record PropagationResult(
bool Applied,
ImmutableArray<PropagationRuleApplication> RuleApplications,
ImmutableArray<GraphPath> GraphPaths,
VexStatus? InheritedStatus,
bool OverrideApplied);
public sealed record PropagationRuleApplication(
string RuleId,
string Description,
bool Triggered,
string? Reason);
public sealed record GraphPath(
string Root,
ImmutableArray<string> Path,
string PathType,
int Depth);
public sealed record PropagationPolicy(
bool InheritDirectDependencyAffected = true,
bool InheritTransitiveAffected = false,
bool AllowProductOverride = true,
int MaxDepth = 10);
```
```csharp
// src/VexLens/StellaOps.VexLens/Conditions/IConditionEvaluator.cs
namespace StellaOps.VexLens.Conditions;
/// <summary>
/// Evaluates VEX conditions against execution context.
/// </summary>
public interface IConditionEvaluator
{
/// <summary>
/// Evaluates a condition against context.
/// </summary>
ConditionResult Evaluate(
VexCondition condition,
EvaluationContext context);
/// <summary>
/// Evaluates multiple conditions.
/// </summary>
IReadOnlyList<ConditionResult> EvaluateAll(
IEnumerable<VexCondition> conditions,
EvaluationContext context);
}
public sealed record EvaluationContext(
string? Platform, // linux/amd64, darwin/arm64
string? Distro, // rhel:9, debian:12
ImmutableHashSet<string> Features,
ImmutableDictionary<string, string> BuildFlags,
ImmutableDictionary<string, string> Environment,
DateTimeOffset EvaluationTime);
public sealed record ConditionResult(
string ConditionId,
string Expression,
ConditionOutcome Outcome,
string? ContextValue,
string? Reason);
public enum ConditionOutcome
{
True,
False,
Unknown // Cannot evaluate (missing context)
}
```
### Propagation Rules
| Rule ID | Description | When Applied |
|---------|-------------|--------------|
| `direct-dependency-affected` | If direct dependency is affected, product inherits affected unless product-level override | Dependency is direct (depth=1) and status=affected |
| `transitive-dependency-affected` | If transitive dependency is affected, flag for review but don't auto-inherit | Dependency is transitive (depth>1) and status=affected |
| `dependency-fixed` | If dependency was affected but is now fixed, allow product NotAffected if vulnerable code was removed | Dependency status=fixed and product has override |
| `dependency-not-affected` | If dependency is not_affected, product may inherit if dependency is leaf | Dependency is leaf node with status=not_affected |
## Delivery Tracker
| Task ID | Description | Status | Assignee | Notes |
|---------|-------------|--------|----------|-------|
| **VP-001** | Define `VexProof` and related models | TODO | | |
| **VP-002** | Implement `VexProofBuilder` | TODO | | |
| **VP-003** | Implement `VexProofSerializer` (canonical JSON) | TODO | | |
| **VP-004** | Modify `VexConsensusEngine` to build proof | TODO | | |
| **VP-005** | Modify `IVexConsensusEngine` to return `VexResolutionResult` | TODO | | |
| **VP-006** | Record merge steps in lattice computation | TODO | | |
| **VP-007** | Record conflict analysis in proof | TODO | | |
| **VP-008** | Define `IPropagationRuleEngine` interface | TODO | | |
| **VP-009** | Implement `PropagationRuleEngine` | TODO | | |
| **VP-010** | Implement `DirectDependencyAffectedRule` | TODO | | |
| **VP-011** | Implement `TransitiveDependencyRule` | TODO | | |
| **VP-012** | Implement `DependencyFixedRule` | TODO | | |
| **VP-013** | Implement `DependencyNotAffectedRule` | TODO | | |
| **VP-014** | Define `IConditionEvaluator` interface | TODO | | |
| **VP-015** | Implement `ConditionEvaluator` | TODO | | |
| **VP-016** | Implement `PlatformCondition` | TODO | | |
| **VP-017** | Implement `DistroCondition` | TODO | | |
| **VP-018** | Implement `FeatureCondition` | TODO | | |
| **VP-019** | Implement `BuildFlagCondition` | TODO | | |
| **VP-020** | Integrate propagation into consensus | TODO | | |
| **VP-021** | Integrate condition evaluation into consensus | TODO | | |
| **VP-022** | Unit tests for `VexProofBuilder` | TODO | | |
| **VP-023** | Unit tests for `VexProofSerializer` | TODO | | |
| **VP-024** | Unit tests for propagation rules | TODO | | |
| **VP-025** | Unit tests for condition evaluator | TODO | | |
| **VP-026** | **Shuffle determinism tests** | TODO | | Critical |
| **VP-027** | Proof digest computation tests | TODO | | |
| **VP-028** | Add `VexProofGate` to Policy | TODO | | |
| **VP-029** | API endpoint to retrieve proofs | TODO | | |
| **VP-030** | Documentation: Proof schema reference | TODO | | |
## Decisions & Risks
| ID | Decision/Risk | Status | Notes |
|----|---------------|--------|-------|
| D-001 | Proof schema version "stellaops.vex-proof.v1" | DECIDED | Allows future evolution |
| D-002 | Include digest in proof for integrity | DECIDED | SHA-256 of canonical JSON |
| D-003 | Propagation rules are configurable via policy | DECIDED | Flexibility for different use cases |
| D-004 | Unknown conditions don't fail evaluation | DECIDED | Explicit Unknown state, not error |
| R-001 | Proof size may be large for many statements | OPEN | Consider compression or summary mode |
| R-002 | Condition expression language complexity | OPEN | Start simple, extend as needed |
## Execution Log
| Date | Event | Notes |
|------|-------|-------|
| 2026-01-02 | Sprint created | Based on product advisory analysis |
## References
- [Product Advisory: Deterministic VEX Resolver](../product-advisories/30-Dec-2025%20-%20Designing%20a%20Deterministic%20VEX%20Resolver.md)
- [CycloneDX VEX](https://cyclonedx.org/use-cases/vulnerability-exploitability/)
- [OpenVEX Spec](https://github.com/openvex/spec)

351
docs/implplan/SPRINT_20260102_004_BE_polish_and_testing.md Normal file
View File

@@ -0,0 +1,351 @@
# SPRINT_20260102_004_BE_polish_and_testing.md
## Sprint Overview
| Field | Value |
|-------|-------|
| **Sprint ID** | SPRINT_20260102_004_BE |
| **Title** | Polish, Testing, and CycloneDX 1.7 Completion |
| **Working Directory** | Various (`src/VexLens/`, `src/Concelier/`, `src/__Tests/`) |
| **Duration** | 1-2 weeks |
| **Dependencies** | Sprints 001-003 |
| **Advisory Sources** | Multiple advisories consolidated |
## Objectives
This sprint completes the remaining gaps identified in the product advisory analysis:
1. **CycloneDX 1.7 Complete Mapping** - Map `analysis.state` and `analysis.justification`
2. **Shuffle Determinism Tests** - Prove consensus is order-independent
3. **Golden Corpus Curation** - Backport test cases from advisory #5
4. **End-to-End Regression Suite** - Full pipeline determinism validation
## Task Groups
### 1. CycloneDX 1.7 Completion
**Current State:** Basic CycloneDX ingestion works, but `analysis.state` and `analysis.justification` are not fully mapped.
**Gap:** CycloneDX 1.7 vulnerability analysis model has:
- `analysis.state` - Exploitability status (resolved, exploitable, in_triage, false_positive, not_affected)
- `analysis.justification` - Why status was assigned
- `analysis.response` - Vendor response (workaround, update, rollback, will_not_fix)
- `analysis.detail` - Detailed analysis notes
**Implementation:**
```csharp
// src/VexLens/StellaOps.VexLens/Normalization/CycloneDxVexNormalizer.cs
public NormalizedStatement NormalizeCycloneDx(
CycloneDxVulnerability vuln,
CycloneDxAnalysis? analysis)
{
var status = MapAnalysisState(analysis?.State);
var justification = MapJustification(analysis?.Justification);
return new NormalizedStatement(
StatementId: GenerateStatementId(vuln),
VulnerabilityId: vuln.Id,
Status: status,
Justification: justification,
// ... other fields
Metadata: new Dictionary<string, string>
{
["cyclonedx.analysis.state"] = analysis?.State ?? "",
["cyclonedx.analysis.justification"] = analysis?.Justification ?? "",
["cyclonedx.analysis.response"] = string.Join(",", analysis?.Response ?? []),
["cyclonedx.analysis.detail"] = analysis?.Detail ?? ""
});
}
private static VexStatus MapAnalysisState(string? state) => state?.ToLowerInvariant() switch
{
"resolved" => VexStatus.Fixed,
"resolved_with_pedigree" => VexStatus.Fixed,
"exploitable" => VexStatus.Affected,
"in_triage" => VexStatus.UnderInvestigation,
"false_positive" => VexStatus.NotAffected,
"not_affected" => VexStatus.NotAffected,
_ => VexStatus.Unknown
};
private static string? MapJustification(string? justification) => justification?.ToLowerInvariant() switch
{
"code_not_present" => "vulnerable_code_not_present",
"code_not_reachable" => "vulnerable_code_not_in_execute_path",
"requires_configuration" => "vulnerable_code_cannot_be_controlled_by_adversary",
"requires_dependency" => "vulnerable_code_not_present",
"requires_environment" => "inline_mitigations_already_exist",
"protected_by_compiler" => "inline_mitigations_already_exist",
"protected_at_runtime" => "inline_mitigations_already_exist",
"protected_at_perimeter" => "inline_mitigations_already_exist",
"protected_by_mitigating_control" => "inline_mitigations_already_exist",
_ => justification
};
```
### 2. Shuffle Determinism Tests
**Objective:** Prove that VexConsensusEngine produces identical results regardless of input order.
**Test Strategy:**
1. Take a set of N statements
2. Generate all permutations (or random sample for large N)
3. Compute consensus for each permutation
4. Assert all results are identical
```csharp
// src/VexLens/__Tests/StellaOps.VexLens.Tests/Consensus/ShuffleDeterminismTests.cs
[Theory]
[MemberData(nameof(GetShuffleTestCases))]
public async Task Consensus_IsOrderIndependent(ShuffleTestCase testCase)
{
// Arrange
var engine = new VexConsensusEngine();
var permutations = GeneratePermutations(testCase.Statements, testCase.SampleSize);
// Act
var results = new List<VexConsensusResult>();
foreach (var permutation in permutations)
{
var request = new VexConsensusRequest(
VulnerabilityId: testCase.VulnerabilityId,
ProductKey: testCase.ProductKey,
Statements: permutation.ToImmutableArray(),
Context: testCase.Context);
var result = await engine.ComputeConsensusAsync(request);
results.Add(result.Verdict);
}
// Assert - all results must be identical
var first = results[0];
foreach (var result in results.Skip(1))
{
Assert.Equal(first.ConsensusStatus, result.ConsensusStatus);
Assert.Equal(first.ConsensusJustification, result.ConsensusJustification);
Assert.Equal(first.ConfidenceScore, result.ConfidenceScore);
Assert.Equal(first.Outcome, result.Outcome);
}
}
public static IEnumerable<object[]> GetShuffleTestCases()
{
yield return new object[]
{
new ShuffleTestCase
{
Name = "Two conflicting statements",
VulnerabilityId = "CVE-2023-12345",
ProductKey = "pkg:npm/test@1.0.0",
Statements = new[]
{
CreateStatement("stmt-1", VexStatus.NotAffected, 0.85m),
CreateStatement("stmt-2", VexStatus.Affected, 0.60m)
},
SampleSize = 2 // All permutations for 2 items
}
};
yield return new object[]
{
new ShuffleTestCase
{
Name = "Five statements with varying weights",
VulnerabilityId = "CVE-2023-67890",
ProductKey = "pkg:pypi/example@2.0.0",
Statements = new[]
{
CreateStatement("stmt-1", VexStatus.NotAffected, 0.90m),
CreateStatement("stmt-2", VexStatus.Affected, 0.70m),
CreateStatement("stmt-3", VexStatus.UnderInvestigation, 0.50m),
CreateStatement("stmt-4", VexStatus.Fixed, 0.80m),
CreateStatement("stmt-5", VexStatus.Affected, 0.65m)
},
SampleSize = 120 // All permutations for 5 items (5! = 120)
}
};
yield return new object[]
{
new ShuffleTestCase
{
Name = "Ten statements - random sample",
VulnerabilityId = "CVE-2024-11111",
ProductKey = "pkg:maven/org.example/lib@3.0.0",
Statements = GenerateRandomStatements(10),
SampleSize = 1000 // Random sample (10! = 3.6M too large)
}
};
}
```
### 3. Golden Corpus Curation
**Objective:** Create test cases from the golden set in advisory #5 (backport validation).
**Top 20 Backport Cases to Include:**
| # | Distro | Package | CVE | Why Interesting |
|---|--------|---------|-----|-----------------|
| 1 | Debian 7 | openssl | CVE-2014-0160 | Heartbleed - classic backport |
| 2 | RHEL 6 | openssl | CVE-2014-0160 | Heartbleed - RHEL variant |
| 3 | RHEL 7 | openssl | CVE-2020-1971 | NULL pointer deref |
| 4 | Ubuntu 20.04 | apache2 | CVE-2024-39573 | Recent SSRF fix |
| 5 | SUSE SLE 12 | apache2 | CVE-2024-38477 | mod_proxy null pointer |
| 6 | Debian 9 | openssh | CVE-2018-15473 | User enumeration |
| 7 | Debian 10 | sudo | CVE-2021-3156 | Baron Samedit |
| 8 | RHEL 7 | sudo | CVE-2019-14287 | Runas All bug |
| 9 | Ubuntu 12.04 | bash | CVE-2014-6271 | Shellshock |
| 10 | Debian 10 | curl | CVE-2023-27533 | TELNET injection |
| 11 | Fedora 34 | glibc | CVE-2021-33574 | mq_notify use-after-free |
| 12 | RHEL 8 | glibc | CVE-2024-2961 | iconv overflow |
| 13 | RHEL 7 | glibc | CVE-2015-0235 | GHOST |
| 14 | RHEL 7 | systemd | CVE-2020-1712 | use-after-free |
| 15 | Alpine 3.10 | musl | CVE-2020-28928 | wcsnrtombs overflow |
| 16 | Ubuntu 20.04 | openssl | CVE-2022-0778 | BN infinite loop |
| 17 | Debian 8 | sudo | CVE-2017-1000367 | TTY hijack |
| 18 | SUSE SLE 12 | apache2 | CVE-2024-38475 | mod_rewrite escaping |
| 19 | Debian 10 | curl | CVE-2023-27535 | FTP reuse auth bypass |
| 20 | Debian 10 | curl | CVE-2023-27538 | SSH reuse |
**Corpus Format:**
```
src/__Tests/__Datasets/GoldenBackports/
├── index.json # Index of all cases
├── CVE-2014-0160/
│ ├── case.json # Test case definition
│ ├── vulnerable.evr.json # Vulnerable version EVR
│ ├── patched.evr.json # Patched version EVR
│ └── expected_verdict.json # Expected verdict
├── CVE-2021-3156/
│ └── ...
└── ...
```
**Case Definition:**
```json
{
"caseId": "backport-debian7-openssl-heartbleed",
"cve": "CVE-2014-0160",
"distro": "debian",
"release": "7",
"codename": "wheezy",
"package": {
"source": "openssl",
"binary": "libssl1.0.0",
"vulnerableEvr": "1.0.1e-2+deb7u4",
"patchedEvr": "1.0.1e-2+deb7u5"
},
"upstream": {
"vulnerableRange": ">=1.0.1,<1.0.1g",
"fixedVersion": "1.0.1g"
},
"expectedVerdict": {
"status": "fixed",
"reason": "backport_detected",
"upstreamWouldSay": "affected"
},
"evidence": {
"advisoryUrl": "https://lists.debian.org/debian-security-announce/2014/msg00071.html",
"patchCommit": null,
"notes": "Heartbleed fix backported to 1.0.1e in Debian 7"
}
}
```
### 4. End-to-End Regression Suite
**Objective:** Validate full pipeline determinism from feed ingestion to verdict emission.
**Test Flow:**
```
Feed Snapshot → Concelier Normalization → VexLens Consensus → Policy Gate → Final Verdict
│ │ │ │ │
└───────────────────┴──────────────────────┴────────────────┴──────────────┘
All steps must be reproducible
given same inputs + timestamp
```
**Test Cases:**
```csharp
// src/__Tests/__Integration/DeterminismRegressionTests.cs
[Theory]
[MemberData(nameof(GetRegressionTestCases))]
public async Task FullPipeline_IsDeterministic(RegressionTestCase testCase)
{
// Arrange - Load golden inputs
var feedSnapshot = await LoadFeedSnapshotAsync(testCase.FeedSnapshotPath);
var sbom = await LoadSbomAsync(testCase.SbomPath);
var context = CreateDeterministicContext(testCase.AsOfTime);
// Act - Run pipeline twice
var result1 = await RunFullPipelineAsync(feedSnapshot, sbom, context);
var result2 = await RunFullPipelineAsync(feedSnapshot, sbom, context);
// Assert - Results must be byte-identical
var json1 = SerializeToCanonicalJson(result1);
var json2 = SerializeToCanonicalJson(result2);
Assert.Equal(json1, json2);
// Also verify against golden output
var expectedJson = await File.ReadAllTextAsync(testCase.ExpectedOutputPath);
Assert.Equal(expectedJson, json1);
}
```
## Delivery Tracker
| Task ID | Description | Status | Assignee | Notes |
|---------|-------------|--------|----------|-------|
| **PT-001** | Map CycloneDX 1.7 `analysis.state` | TODO | | |
| **PT-002** | Map CycloneDX 1.7 `analysis.justification` | TODO | | |
| **PT-003** | Map CycloneDX 1.7 `analysis.response` | TODO | | |
| **PT-004** | Map CycloneDX 1.7 `analysis.detail` | TODO | | |
| **PT-005** | Unit tests for CycloneDX 1.7 mapping | TODO | | |
| **PT-006** | Implement shuffle determinism test framework | TODO | | |
| **PT-007** | Add 2-statement shuffle tests | TODO | | |
| **PT-008** | Add 5-statement shuffle tests | TODO | | |
| **PT-009** | Add 10-statement random sample tests | TODO | | |
| **PT-010** | Create golden corpus directory structure | TODO | | |
| **PT-011** | Curate case 1-5 (OpenSSL, Apache) | TODO | | |
| **PT-012** | Curate case 6-10 (OpenSSH, Sudo, Bash, curl) | TODO | | |
| **PT-013** | Curate case 11-15 (glibc, systemd, musl) | TODO | | |
| **PT-014** | Curate case 16-20 (remaining) | TODO | | |
| **PT-015** | Create corpus index.json | TODO | | |
| **PT-016** | Implement corpus loader | TODO | | |
| **PT-017** | Implement corpus test runner | TODO | | |
| **PT-018** | End-to-end determinism test framework | TODO | | |
| **PT-019** | Add regression test cases | TODO | | |
| **PT-020** | CI integration for regression tests | TODO | | |
| **PT-021** | Documentation: Testing strategy | TODO | | |
## Decisions & Risks
| ID | Decision/Risk | Status | Notes |
|----|---------------|--------|-------|
| D-001 | Use 1000 random permutations for large statement sets | DECIDED | Full permutation infeasible for N>8 |
| D-002 | Store golden corpus in repo | DECIDED | Versioned with code |
| R-001 | Corpus curation is labor-intensive | OPEN | Start with top 20, expand over time |
| R-002 | External feed changes may break golden tests | OPEN | Use frozen snapshots |
## Execution Log
| Date | Event | Notes |
|------|-------|-------|
| 2026-01-02 | Sprint created | Based on product advisory analysis |
## References
- [Product Advisory: Golden Set for Patch Validation](../product-advisories/30-Dec-2025%20-%20Building%20a%20Golden%20Set%20for%20Patch%20Validation.md)
- [CycloneDX 1.7 Schema](https://cyclonedx.org/docs/1.7/)
- [Existing VexLens Truth Table Tests](../../src/VexLens/__Tests/StellaOps.VexLens.Tests/Consensus/VexLensTruthTableTests.cs)