stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(scanner): Complete PoE implementation with Windows compatibility fix

Browse Source 
- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
2025-12-23 14:52:08 +02:00
parent 84d97fd22c
commit fcb5ffe25d
90 changed files with 9457 additions and 2039 deletions
Download Patch File Download Diff File Expand all files Collapse all files

206
src/Concelier/__Libraries/StellaOps.Concelier.ProofService.Postgres/Migrations/20251223000001_AddProofEvidenceTables.sql Normal file
View File

@@ -0,0 +1,206 @@
-- Migration: Add Proof Evidence Tables for Sprint 7100.0002
-- Created: 2025-12-23
-- Purpose: Support four-tier backport detection with cryptographic proof generation
-- =============================================
-- SCHEMA: vuln (Concelier vulnerability data)
-- =============================================
-- Table: distro_advisories
-- Tier 1 evidence: Distro security advisories (DSA, RHSA, USN, etc.)
CREATE TABLE IF NOT EXISTS vuln.distro_advisories (
advisory_id TEXT PRIMARY KEY,
distro_name TEXT NOT NULL,
cve_id TEXT NOT NULL,
package_purl TEXT NOT NULL,
fixed_version TEXT,
published_at TIMESTAMPTZ NOT NULL,
status TEXT NOT NULL, -- 'fixed', 'patched', 'not-affected', 'under-investigation'
payload JSONB NOT NULL,
-- Indexing
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX idx_distro_advisories_cve_pkg
ON vuln.distro_advisories(cve_id, package_purl);
CREATE INDEX idx_distro_advisories_distro
ON vuln.distro_advisories(distro_name, published_at DESC);
CREATE INDEX idx_distro_advisories_published
ON vuln.distro_advisories(published_at DESC);
COMMENT ON TABLE vuln.distro_advisories IS
'Tier 1 evidence: Distro security advisories with fixed version metadata (confidence: 0.98)';
-- Table: changelog_evidence
-- Tier 2 evidence: Changelog mentions of CVE fixes
CREATE TABLE IF NOT EXISTS vuln.changelog_evidence (
changelog_id TEXT PRIMARY KEY,
package_purl TEXT NOT NULL,
format TEXT NOT NULL, -- 'debian', 'rpm', 'alpine'
version TEXT NOT NULL,
date TIMESTAMPTZ NOT NULL,
cve_ids TEXT[] NOT NULL,
payload JSONB NOT NULL,
-- Indexing
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX idx_changelog_evidence_cve
ON vuln.changelog_evidence USING GIN(cve_ids);
CREATE INDEX idx_changelog_evidence_pkg_date
ON vuln.changelog_evidence(package_purl, date DESC);
COMMENT ON TABLE vuln.changelog_evidence IS
'Tier 2 evidence: CVE mentions in debian/changelog, RPM changelog, Alpine commit messages (confidence: 0.80)';
-- Table: patch_evidence
-- Tier 3 evidence: Patch headers from Git commits and patch files
CREATE TABLE IF NOT EXISTS vuln.patch_evidence (
patch_id TEXT PRIMARY KEY,
patch_file_path TEXT NOT NULL,
origin TEXT, -- 'git', 'debian-patches', 'rpm-patches', etc.
cve_ids TEXT[] NOT NULL,
parsed_at TIMESTAMPTZ NOT NULL,
payload JSONB NOT NULL,
-- Indexing
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX idx_patch_evidence_cve
ON vuln.patch_evidence USING GIN(cve_ids);
CREATE INDEX idx_patch_evidence_origin
ON vuln.patch_evidence(origin, parsed_at DESC);
COMMENT ON TABLE vuln.patch_evidence IS
'Tier 3 evidence: Patch headers from Git commit messages and patch files (confidence: 0.85)';
-- Table: patch_signatures
-- Tier 3 evidence: HunkSig fuzzy patch matching
CREATE TABLE IF NOT EXISTS vuln.patch_signatures (
signature_id TEXT PRIMARY KEY,
cve_id TEXT NOT NULL,
commit_sha TEXT NOT NULL,
upstream_repo TEXT NOT NULL,
hunk_hash TEXT NOT NULL, -- Normalized hash of unified diff hunk
extracted_at TIMESTAMPTZ NOT NULL,
payload JSONB NOT NULL,
-- Indexing
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX idx_patch_signatures_cve
ON vuln.patch_signatures(cve_id);
CREATE INDEX idx_patch_signatures_hunk
ON vuln.patch_signatures(hunk_hash);
CREATE INDEX idx_patch_signatures_repo
ON vuln.patch_signatures(upstream_repo, extracted_at DESC);
COMMENT ON TABLE vuln.patch_signatures IS
'Tier 3 evidence: HunkSig fuzzy patch signature matches (confidence: 0.90)';
-- =============================================
-- SCHEMA: feedser (Binary analysis and fingerprinting)
-- =============================================
CREATE SCHEMA IF NOT EXISTS feedser;
-- Table: binary_fingerprints
-- Tier 4 evidence: Binary fingerprints for fuzzy matching
CREATE TABLE IF NOT EXISTS feedser.binary_fingerprints (
fingerprint_id TEXT PRIMARY KEY,
cve_id TEXT NOT NULL,
method TEXT NOT NULL, -- 'tlsh', 'cfg_hash', 'instruction_hash', 'symbol_hash', 'section_hash'
fingerprint_value TEXT NOT NULL,
target_binary TEXT NOT NULL, -- Binary file or library name
target_function TEXT, -- Optional function/symbol name
-- Metadata fields (denormalized for query performance)
architecture TEXT NOT NULL, -- 'x86_64', 'aarch64', 'armv7', etc.
format TEXT NOT NULL, -- 'ELF', 'PE', 'Mach-O'
compiler TEXT,
optimization_level TEXT,
has_debug_symbols BOOLEAN NOT NULL,
file_offset BIGINT,
region_size BIGINT,
-- Timestamps
extracted_at TIMESTAMPTZ NOT NULL,
extractor_version TEXT NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX idx_binary_fingerprints_cve
ON feedser.binary_fingerprints(cve_id, method);
CREATE INDEX idx_binary_fingerprints_method
ON feedser.binary_fingerprints(method, extracted_at DESC);
CREATE INDEX idx_binary_fingerprints_target
ON feedser.binary_fingerprints(target_binary, target_function);
CREATE INDEX idx_binary_fingerprints_arch
ON feedser.binary_fingerprints(architecture, format);
COMMENT ON TABLE feedser.binary_fingerprints IS
'Tier 4 evidence: Binary fingerprints for fuzzy matching of patched code (confidence: 0.55-0.85)';
-- =============================================
-- SCHEMA: attestor (Proof chain and audit log)
-- =============================================
CREATE SCHEMA IF NOT EXISTS attestor;
-- Table: proof_blobs (audit log for generated proofs)
-- Stores cryptographic proofs for transparency and replay
CREATE TABLE IF NOT EXISTS attestor.proof_blobs (
proof_id TEXT PRIMARY KEY,
proof_hash TEXT NOT NULL UNIQUE, -- BLAKE3-256 hash for tamper detection
cve_id TEXT NOT NULL,
package_purl TEXT NOT NULL,
confidence DECIMAL(3,2) NOT NULL CHECK (confidence >= 0 AND confidence <= 1),
method TEXT NOT NULL, -- 'tier_1', 'tier_2', 'tier_3', 'tier_4', 'multi_tier', 'unknown'
snapshot_id TEXT NOT NULL,
evidence_count INT NOT NULL,
generated_at TIMESTAMPTZ NOT NULL,
payload JSONB NOT NULL, -- Full ProofBlob JSON
-- Indexing
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX idx_proof_blobs_cve_pkg
ON attestor.proof_blobs(cve_id, package_purl);
CREATE INDEX idx_proof_blobs_confidence
ON attestor.proof_blobs(confidence DESC, generated_at DESC);
CREATE INDEX idx_proof_blobs_method
ON attestor.proof_blobs(method, generated_at DESC);
CREATE INDEX idx_proof_blobs_hash
ON attestor.proof_blobs(proof_hash);
COMMENT ON TABLE attestor.proof_blobs IS
'Audit log of generated cryptographic proofs for backport detection with tamper-evident hashing';
-- =============================================
-- UPDATE TRIGGERS (for updated_at timestamps)
-- =============================================
-- Trigger function for updating updated_at
CREATE OR REPLACE FUNCTION update_updated_at_column()
RETURNS TRIGGER AS $$
BEGIN
NEW.updated_at = NOW();
RETURN NEW;
END;
$$ LANGUAGE plpgsql;
-- Apply trigger to distro_advisories
CREATE TRIGGER update_distro_advisories_updated_at
BEFORE UPDATE ON vuln.distro_advisories
FOR EACH ROW
EXECUTE FUNCTION update_updated_at_column();
-- =============================================
-- MIGRATION COMPLETE
-- =============================================

73
src/Concelier/__Libraries/StellaOps.Concelier.ProofService.Postgres/PostgresDistroAdvisoryRepository.cs Normal file
View File

@@ -0,0 +1,73 @@
namespace StellaOps.Concelier.ProofService.Postgres;
using Dapper;
using Microsoft.Extensions.Logging;
using Npgsql;
using StellaOps.Concelier.ProofService;
using System.Text.Json;
/// <summary>
/// PostgreSQL implementation of distro advisory repository.
/// Queries the vuln.distro_advisories table for CVE + package evidence.
/// </summary>
public sealed class PostgresDistroAdvisoryRepository : IDistroAdvisoryRepository
{
private readonly string _connectionString;
private readonly ILogger<PostgresDistroAdvisoryRepository> _logger;
public PostgresDistroAdvisoryRepository(
string connectionString,
ILogger<PostgresDistroAdvisoryRepository> logger)
{
_connectionString = connectionString;
_logger = logger;
}
/// <summary>
/// Find distro advisory by CVE ID and package PURL.
/// Returns the most recent advisory if multiple matches exist.
/// </summary>
public async Task<DistroAdvisoryDto?> FindByCveAndPackageAsync(
string cveId,
string packagePurl,
CancellationToken ct)
{
const string sql = @"
SELECT
advisory_id AS AdvisoryId,
distro_name AS DistroName,
published_at AS PublishedAt,
status AS Status
FROM vuln.distro_advisories
WHERE cve_id = @CveId
AND package_purl = @PackagePurl
ORDER BY published_at DESC
LIMIT 1;
";
try
{
await using var connection = new NpgsqlConnection(_connectionString);
await connection.OpenAsync(ct);
var result = await connection.QuerySingleOrDefaultAsync<DistroAdvisoryDto>(
new CommandDefinition(sql, new { CveId = cveId, PackagePurl = packagePurl }, cancellationToken: ct));
if (result != null)
{
_logger.LogDebug(
"Found distro advisory {AdvisoryId} for {CveId} in {PackagePurl}",
result.AdvisoryId, cveId, packagePurl);
}
return result;
}
catch (Exception ex)
{
_logger.LogError(ex,
"Failed to query distro advisory for {CveId} in {PackagePurl}",
cveId, packagePurl);
throw;
}
}
}

208
src/Concelier/__Libraries/StellaOps.Concelier.ProofService.Postgres/PostgresPatchRepository.cs Normal file
View File

@@ -0,0 +1,208 @@
namespace StellaOps.Concelier.ProofService.Postgres;
using Dapper;
using Microsoft.Extensions.Logging;
using Npgsql;
using StellaOps.Concelier.ProofService;
using StellaOps.Feedser.BinaryAnalysis.Models;
/// <summary>
/// PostgreSQL implementation of patch repository.
/// Queries vuln.patch_evidence and feedser.binary_fingerprints tables.
/// </summary>
public sealed class PostgresPatchRepository : IPatchRepository
{
private readonly string _connectionString;
private readonly ILogger<PostgresPatchRepository> _logger;
public PostgresPatchRepository(
string connectionString,
ILogger<PostgresPatchRepository> logger)
{
_connectionString = connectionString;
_logger = logger;
}
/// <summary>
/// Find patch headers mentioning the given CVE ID.
/// Returns all matching patch headers ordered by parsed date (newest first).
/// </summary>
public async Task<IReadOnlyList<PatchHeaderDto>> FindPatchHeadersByCveAsync(
string cveId,
CancellationToken ct)
{
const string sql = @"
SELECT
patch_file_path AS PatchFilePath,
origin AS Origin,
parsed_at AS ParsedAt,
cve_ids AS CveIds
FROM vuln.patch_evidence
WHERE @CveId = ANY(cve_ids)
ORDER BY parsed_at DESC;
";
try
{
await using var connection = new NpgsqlConnection(_connectionString);
await connection.OpenAsync(ct);
var results = await connection.QueryAsync<PatchHeaderDto>(
new CommandDefinition(sql, new { CveId = cveId }, cancellationToken: ct));
var patchList = results.ToList();
_logger.LogDebug(
"Found {Count} patch headers for {CveId}",
patchList.Count, cveId);
return patchList;
}
catch (Exception ex)
{
_logger.LogError(ex,
"Failed to query patch headers for {CveId}",
cveId);
throw;
}
}
/// <summary>
/// Find patch signatures (HunkSig matches) for the given CVE ID.
/// Returns all matching signatures ordered by extraction date (newest first).
/// </summary>
public async Task<IReadOnlyList<PatchSigDto>> FindPatchSignaturesByCveAsync(
string cveId,
CancellationToken ct)
{
const string sql = @"
SELECT
commit_sha AS CommitSha,
upstream_repo AS UpstreamRepo,
extracted_at AS ExtractedAt,
hunk_hash AS HunkHash
FROM vuln.patch_signatures
WHERE cve_id = @CveId
ORDER BY extracted_at DESC;
";
try
{
await using var connection = new NpgsqlConnection(_connectionString);
await connection.OpenAsync(ct);
var results = await connection.QueryAsync<PatchSigDto>(
new CommandDefinition(sql, new { CveId = cveId }, cancellationToken: ct));
var sigList = results.ToList();
_logger.LogDebug(
"Found {Count} patch signatures for {CveId}",
sigList.Count, cveId);
return sigList;
}
catch (Exception ex)
{
_logger.LogError(ex,
"Failed to query patch signatures for {CveId}",
cveId);
throw;
}
}
/// <summary>
/// Find binary fingerprints for the given CVE ID.
/// Returns all matching fingerprints ordered by extraction date (newest first).
/// </summary>
public async Task<IReadOnlyList<BinaryFingerprint>> FindBinaryFingerprintsByCveAsync(
string cveId,
CancellationToken ct)
{
const string sql = @"
SELECT
fingerprint_id AS FingerprintId,
cve_id AS CveId,
method AS Method,
fingerprint_value AS FingerprintValue,
target_binary AS TargetBinary,
target_function AS TargetFunction,
architecture AS Architecture,
format AS Format,
compiler AS Compiler,
optimization_level AS OptimizationLevel,
has_debug_symbols AS HasDebugSymbols,
file_offset AS FileOffset,
region_size AS RegionSize,
extracted_at AS ExtractedAt,
extractor_version AS ExtractorVersion
FROM feedser.binary_fingerprints
WHERE cve_id = @CveId
ORDER BY extracted_at DESC;
";
try
{
await using var connection = new NpgsqlConnection(_connectionString);
await connection.OpenAsync(ct);
var results = await connection.QueryAsync<BinaryFingerprintRow>(
new CommandDefinition(sql, new { CveId = cveId }, cancellationToken: ct));
var fingerprints = results.Select(row => new BinaryFingerprint
{
FingerprintId = row.FingerprintId,
CveId = row.CveId,
Method = Enum.Parse<FingerprintMethod>(row.Method, ignoreCase: true),
FingerprintValue = row.FingerprintValue,
TargetBinary = row.TargetBinary,
TargetFunction = row.TargetFunction,
Metadata = new FingerprintMetadata
{
Architecture = row.Architecture,
Format = row.Format,
Compiler = row.Compiler,
OptimizationLevel = row.OptimizationLevel,
HasDebugSymbols = row.HasDebugSymbols,
FileOffset = row.FileOffset,
RegionSize = row.RegionSize
},
ExtractedAt = row.ExtractedAt,
ExtractorVersion = row.ExtractorVersion
}).ToList();
_logger.LogDebug(
"Found {Count} binary fingerprints for {CveId}",
fingerprints.Count, cveId);
return fingerprints;
}
catch (Exception ex)
{
_logger.LogError(ex,
"Failed to query binary fingerprints for {CveId}",
cveId);
throw;
}
}
// Internal row mapping class for Dapper
private sealed class BinaryFingerprintRow
{
public required string FingerprintId { get; init; }
public required string CveId { get; init; }
public required string Method { get; init; }
public required string FingerprintValue { get; init; }
public required string TargetBinary { get; init; }
public string? TargetFunction { get; init; }
public required string Architecture { get; init; }
public required string Format { get; init; }
public string? Compiler { get; init; }
public string? OptimizationLevel { get; init; }
public required bool HasDebugSymbols { get; init; }
public long? FileOffset { get; init; }
public long? RegionSize { get; init; }
public required DateTimeOffset ExtractedAt { get; init; }
public required string ExtractorVersion { get; init; }
}
}

70
src/Concelier/__Libraries/StellaOps.Concelier.ProofService.Postgres/PostgresSourceArtifactRepository.cs Normal file
View File

@@ -0,0 +1,70 @@
namespace StellaOps.Concelier.ProofService.Postgres;
using Dapper;
using Microsoft.Extensions.Logging;
using Npgsql;
using StellaOps.Concelier.ProofService;
/// <summary>
/// PostgreSQL implementation of source artifact repository.
/// Queries vuln.changelog_evidence for CVE mentions in changelogs.
/// </summary>
public sealed class PostgresSourceArtifactRepository : ISourceArtifactRepository
{
private readonly string _connectionString;
private readonly ILogger<PostgresSourceArtifactRepository> _logger;
public PostgresSourceArtifactRepository(
string connectionString,
ILogger<PostgresSourceArtifactRepository> logger)
{
_connectionString = connectionString;
_logger = logger;
}
/// <summary>
/// Find changelog entries mentioning the given CVE ID and package PURL.
/// Returns all matching changelog entries ordered by date (newest first).
/// </summary>
public async Task<IReadOnlyList<ChangelogDto>> FindChangelogsByCveAsync(
string cveId,
string packagePurl,
CancellationToken ct)
{
const string sql = @"
SELECT
format AS Format,
version AS Version,
date AS Date,
cve_ids AS CveIds
FROM vuln.changelog_evidence
WHERE @CveId = ANY(cve_ids)
AND package_purl = @PackagePurl
ORDER BY date DESC;
";
try
{
await using var connection = new NpgsqlConnection(_connectionString);
await connection.OpenAsync(ct);
var results = await connection.QueryAsync<ChangelogDto>(
new CommandDefinition(sql, new { CveId = cveId, PackagePurl = packagePurl }, cancellationToken: ct));
var changelogList = results.ToList();
_logger.LogDebug(
"Found {Count} changelog entries for {CveId} in {PackagePurl}",
changelogList.Count, cveId, packagePurl);
return changelogList;
}
catch (Exception ex)
{
_logger.LogError(ex,
"Failed to query changelog evidence for {CveId} in {PackagePurl}",
cveId, packagePurl);
throw;
}
}
}

20
src/Concelier/__Libraries/StellaOps.Concelier.ProofService.Postgres/StellaOps.Concelier.ProofService.Postgres.csproj Normal file
View File

@@ -0,0 +1,20 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Npgsql" Version="10.0.0" />
<PackageReference Include="Dapper" Version="2.1.66" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\StellaOps.Concelier.ProofService\StellaOps.Concelier.ProofService.csproj" />
<ProjectReference Include="..\..\..\Feedser\StellaOps.Feedser.BinaryAnalysis\StellaOps.Feedser.BinaryAnalysis.csproj" />
</ItemGroup>
</Project>

223
src/Concelier/__Libraries/StellaOps.Concelier.ProofService.Postgres/TestData/SeedProofEvidence.sql Normal file
View File

@@ -0,0 +1,223 @@
-- Seed Script: Test Data for Proof Evidence
-- Purpose: Provide sample data for testing four-tier backport detection
-- =============================================
-- Tier 1: Distro Advisories
-- =============================================
-- CVE-2024-1234 in curl (Debian fixed)
INSERT INTO vuln.distro_advisories (advisory_id, distro_name, cve_id, package_purl, fixed_version, published_at, status, payload)
VALUES (
'DSA-5001',
'debian',
'CVE-2024-1234',
'pkg:deb/debian/curl@7.64.0-4',
'7.64.0-4+deb10u3',
'2024-03-15 10:30:00+00'::timestamptz,
'fixed',
'{"description": "Security fix for buffer overflow", "severity": "high", "references": ["https://security.debian.org/DSA-5001"]}'::jsonb
);
-- CVE-2024-5678 in openssl (RHSA)
INSERT INTO vuln.distro_advisories (advisory_id, distro_name, cve_id, package_purl, fixed_version, published_at, status, payload)
VALUES (
'RHSA-2024:1234',
'rhel',
'CVE-2024-5678',
'pkg:rpm/redhat/openssl@1.1.1k-7.el8',
'1.1.1k-8.el8',
'2024-04-20 14:00:00+00'::timestamptz,
'fixed',
'{"description": "OpenSSL security update", "severity": "critical", "references": ["https://access.redhat.com/errata/RHSA-2024:1234"]}'::jsonb
);
-- CVE-2024-9999 in nginx (Ubuntu)
INSERT INTO vuln.distro_advisories (advisory_id, distro_name, cve_id, package_purl, fixed_version, published_at, status, payload)
VALUES (
'USN-6789-1',
'ubuntu',
'CVE-2024-9999',
'pkg:deb/ubuntu/nginx@1.18.0-0ubuntu1.4',
'1.18.0-0ubuntu1.5',
'2024-05-10 09:15:00+00'::timestamptz,
'fixed',
'{"description": "Nginx HTTP/2 implementation flaw", "severity": "medium", "references": ["https://ubuntu.com/security/notices/USN-6789-1"]}'::jsonb
);
-- =============================================
-- Tier 2: Changelog Evidence
-- =============================================
-- CVE-2024-1234 mentioned in curl changelog
INSERT INTO vuln.changelog_evidence (changelog_id, package_purl, format, version, date, cve_ids, payload)
VALUES (
'changelog:deb:curl:7.64.0-4+deb10u3',
'pkg:deb/debian/curl@7.64.0-4',
'debian',
'7.64.0-4+deb10u3',
'2024-03-15 08:00:00+00'::timestamptz,
ARRAY['CVE-2024-1234'],
'{"entry": "curl (7.64.0-4+deb10u3) buster-security; urgency=high\n * Fix CVE-2024-1234: Buffer overflow in libcurl\n -- Debian Security Team <team@security.debian.org> Fri, 15 Mar 2024 08:00:00 +0000"}'::jsonb
);
-- CVE-2024-5678 mentioned in openssl changelog
INSERT INTO vuln.changelog_evidence (changelog_id, package_purl, format, version, date, cve_ids, payload)
VALUES (
'changelog:rpm:openssl:1.1.1k-8.el8',
'pkg:rpm/redhat/openssl@1.1.1k-7.el8',
'rpm',
'1.1.1k-8.el8',
'2024-04-20 12:00:00+00'::timestamptz,
ARRAY['CVE-2024-5678'],
'{"entry": "* Fri Apr 20 2024 Red Hat Security <security@redhat.com> - 1.1.1k-8.el8\n- Fix CVE-2024-5678: TLS handshake vulnerability"}'::jsonb
);
-- =============================================
-- Tier 3: Patch Evidence (Headers)
-- =============================================
-- CVE-2024-1234 patch from curl upstream
INSERT INTO vuln.patch_evidence (patch_id, patch_file_path, origin, cve_ids, parsed_at, payload)
VALUES (
'patch:git:curl:abc123def456',
'debian/patches/CVE-2024-1234.patch',
'git',
ARRAY['CVE-2024-1234'],
'2024-03-10 16:30:00+00'::timestamptz,
'{"commit": "abc123def456", "author": "Daniel Stenberg <daniel@haxx.se>", "date": "2024-03-10", "message": "lib: fix buffer overflow in url parsing (CVE-2024-1234)\n\nThe URL parser did not properly handle overlong percent-encoded sequences..."}'::jsonb
);
-- CVE-2024-9999 patch from nginx upstream
INSERT INTO vuln.patch_evidence (patch_id, patch_file_path, origin, cve_ids, parsed_at, payload)
VALUES (
'patch:git:nginx:fed789cba012',
'debian/patches/CVE-2024-9999.patch',
'git',
ARRAY['CVE-2024-9999'],
'2024-05-05 11:20:00+00'::timestamptz,
'{"commit": "fed789cba012", "author": "Maxim Dounin <mdounin@mdounin.ru>", "date": "2024-05-05", "message": "HTTP/2: fixed handling of empty CONTINUATION frames (CVE-2024-9999)"}'::jsonb
);
-- =============================================
-- Tier 3: Patch Signatures (HunkSig)
-- =============================================
-- HunkSig match for CVE-2024-1234
INSERT INTO vuln.patch_signatures (signature_id, cve_id, commit_sha, upstream_repo, hunk_hash, extracted_at, payload)
VALUES (
'hunksig:curl:abc123def456:1',
'CVE-2024-1234',
'abc123def456',
'https://github.com/curl/curl',
'sha256:1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890',
'2024-03-11 10:00:00+00'::timestamptz,
'{"hunk": "@@ -856,7 +856,11 @@ parse_url(...)\n /* allocate buffer */\n- buf = malloc(len);\n+ if(len > MAX_URL_LEN)\n+ return CURLE_URL_MALFORMAT;\n+ buf = malloc(len);", "normalized": true}'::jsonb
);
-- =============================================
-- Tier 4: Binary Fingerprints
-- =============================================
-- TLSH fingerprint for CVE-2024-1234 (curl libcurl.so.4)
INSERT INTO feedser.binary_fingerprints (
fingerprint_id, cve_id, method, fingerprint_value,
target_binary, target_function,
architecture, format, compiler, optimization_level,
has_debug_symbols, file_offset, region_size,
extracted_at, extractor_version
)
VALUES (
'fingerprint:tlsh:curl:libcurl.so.4:parse_url',
'CVE-2024-1234',
'tlsh',
'T12A4F1B8E9C3D5A7F2E1B4C8D9A6E3F5B7C2A4D9E6F1A8B3C5E7D2F4A9B6C1E8',
'libcurl.so.4',
'parse_url',
'x86_64',
'ELF',
'gcc 9.4.0',
'-O2',
false,
45632,
2048,
'2024-03-16 14:00:00+00'::timestamptz,
'1.0.0'
);
-- Instruction hash for CVE-2024-5678 (openssl libssl.so.1.1)
INSERT INTO feedser.binary_fingerprints (
fingerprint_id, cve_id, method, fingerprint_value,
target_binary, target_function,
architecture, format, compiler, optimization_level,
has_debug_symbols, file_offset, region_size,
extracted_at, extractor_version
)
VALUES (
'fingerprint:instruction_hash:openssl:libssl.so.1.1:ssl_handshake',
'CVE-2024-5678',
'instruction_hash',
'sha256:9f8e7d6c5b4a3210fedcba9876543210fedcba9876543210fedcba9876543210',
'libssl.so.1.1',
'ssl_handshake',
'x86_64',
'ELF',
'gcc 8.5.0',
'-O2 -fstack-protector-strong',
false,
98304,
4096,
'2024-04-21 16:30:00+00'::timestamptz,
'1.0.0'
);
-- =============================================
-- Proof Blobs (Audit Log)
-- =============================================
-- Multi-tier proof for CVE-2024-1234 (Tier 1 + Tier 3 + Tier 4)
INSERT INTO attestor.proof_blobs (
proof_id, proof_hash, cve_id, package_purl,
confidence, method, snapshot_id, evidence_count, generated_at, payload
)
VALUES (
'proof:CVE-2024-1234:pkg:deb/debian/curl@7.64.0-4:20240316T140000Z',
'blake3:a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890',
'CVE-2024-1234',
'pkg:deb/debian/curl@7.64.0-4',
0.93, -- Tier 1 (0.98) + Tier 3 (0.85) + Tier 4 (0.75) = max(0.98) + 0.08 bonus = 1.06 → capped at 0.98, but adjusted for demo
'multi_tier',
'snapshot:20240316T140000Z',
3,
'2024-03-16 14:00:00+00'::timestamptz,
'{"proof_id": "proof:CVE-2024-1234:pkg:deb/debian/curl@7.64.0-4:20240316T140000Z", "cve_id": "CVE-2024-1234", "package_purl": "pkg:deb/debian/curl@7.64.0-4", "confidence": 0.93, "method": "multi_tier", "snapshot_id": "snapshot:20240316T140000Z", "evidences": [{"evidence_id": "evidence:distro:debian:DSA-5001", "type": "DistroAdvisory", "source": "debian"}, {"evidence_id": "evidence:patch_header:debian/patches/CVE-2024-1234.patch", "type": "PatchHeader", "source": "git"}, {"evidence_id": "evidence:binary:tlsh:fingerprint:tlsh:curl:libcurl.so.4:parse_url", "type": "BinaryFingerprint", "source": "tlsh"}]}'::jsonb
);
-- Single-tier proof for CVE-2024-5678 (Tier 1 only)
INSERT INTO attestor.proof_blobs (
proof_id, proof_hash, cve_id, package_purl,
confidence, method, snapshot_id, evidence_count, generated_at, payload
)
VALUES (
'proof:CVE-2024-5678:pkg:rpm/redhat/openssl@1.1.1k-7.el8:20240421T170000Z',
'blake3:b2c3d4e5f6789012345678901234567890123456789012345678901234567890ab',
'CVE-2024-5678',
'pkg:rpm/redhat/openssl@1.1.1k-7.el8',
0.98, -- Tier 1 only
'tier_1',
'snapshot:20240421T170000Z',
1,
'2024-04-21 17:00:00+00'::timestamptz,
'{"proof_id": "proof:CVE-2024-5678:pkg:rpm/redhat/openssl@1.1.1k-7.el8:20240421T170000Z", "cve_id": "CVE-2024-5678", "package_purl": "pkg:rpm/redhat/openssl@1.1.1k-7.el8", "confidence": 0.98, "method": "tier_1", "snapshot_id": "snapshot:20240421T170000Z", "evidences": [{"evidence_id": "evidence:distro:rhel:RHSA-2024:1234", "type": "DistroAdvisory", "source": "rhel"}]}'::jsonb
);
-- =============================================
-- SEED DATA COMPLETE
-- =============================================
-- Summary:
-- - 3 distro advisories (Tier 1)
-- - 2 changelog entries (Tier 2)
-- - 2 patch headers (Tier 3)
-- - 1 patch signature (Tier 3)
-- - 2 binary fingerprints (Tier 4)
-- - 2 proof blobs (audit log)
-- Total: 12 evidence records covering 3 CVEs