{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://stellaops.io/schemas/binarydiff-v1.schema.json", "title": "BinaryDiffV1", "description": "In-toto predicate for binary-level diff attestations", "type": "object", "required": ["predicateType", "subjects", "inputs", "findings", "metadata"], "properties": { "predicateType": { "const": "stellaops.binarydiff.v1" }, "subjects": { "type": "array", "items": { "$ref": "#/$defs/BinaryDiffSubject" }, "minItems": 1 }, "inputs": { "$ref": "#/$defs/BinaryDiffInputs" }, "findings": { "type": "array", "items": { "$ref": "#/$defs/BinaryDiffFinding" } }, "metadata": { "$ref": "#/$defs/BinaryDiffMetadata" } }, "$defs": { "BinaryDiffSubject": { "type": "object", "required": ["name", "digest"], "properties": { "name": { "type": "string", "description": "Image reference (e.g., docker://repo/app@sha256:...)" }, "digest": { "type": "object", "additionalProperties": { "type": "string" } }, "platform": { "$ref": "#/$defs/Platform" } } }, "BinaryDiffInputs": { "type": "object", "required": ["base", "target"], "properties": { "base": { "$ref": "#/$defs/ImageReference" }, "target": { "$ref": "#/$defs/ImageReference" } } }, "ImageReference": { "type": "object", "required": ["digest"], "properties": { "reference": { "type": "string" }, "digest": { "type": "string" }, "manifestDigest": { "type": "string" }, "platform": { "$ref": "#/$defs/Platform" } } }, "Platform": { "type": "object", "properties": { "os": { "type": "string" }, "architecture": { "type": "string" }, "variant": { "type": "string" } } }, "BinaryDiffFinding": { "type": "object", "required": ["path", "changeType", "binaryFormat"], "properties": { "path": { "type": "string", "description": "File path within the image filesystem" }, "changeType": { "enum": ["added", "removed", "modified", "unchanged"] }, "binaryFormat": { "enum": ["elf", "pe", "macho", "unknown"] }, "layerDigest": { "type": "string", "description": "Layer that introduced this change" }, "baseHashes": { "$ref": "#/$defs/SectionHashSet" }, "targetHashes": { "$ref": "#/$defs/SectionHashSet" }, "sectionDeltas": { "type": "array", "items": { "$ref": "#/$defs/SectionDelta" } }, "confidence": { "type": "number", "minimum": 0, "maximum": 1 }, "verdict": { "enum": ["patched", "vanilla", "unknown", "incompatible"] } } }, "SectionHashSet": { "type": "object", "properties": { "buildId": { "type": "string" }, "fileHash": { "type": "string" }, "sections": { "type": "object", "additionalProperties": { "$ref": "#/$defs/SectionInfo" } } } }, "SectionInfo": { "type": "object", "required": ["sha256", "size"], "properties": { "sha256": { "type": "string" }, "blake3": { "type": "string" }, "size": { "type": "integer" } } }, "SectionDelta": { "type": "object", "required": ["section", "status"], "properties": { "section": { "type": "string", "description": "Section name (e.g., .text, .rodata)" }, "status": { "enum": ["identical", "modified", "added", "removed"] }, "baseSha256": { "type": "string" }, "targetSha256": { "type": "string" }, "sizeDelta": { "type": "integer" } } }, "BinaryDiffMetadata": { "type": "object", "required": ["toolVersion", "analysisTimestamp"], "properties": { "toolVersion": { "type": "string" }, "analysisTimestamp": { "type": "string", "format": "date-time" }, "configDigest": { "type": "string" }, "totalBinaries": { "type": "integer" }, "modifiedBinaries": { "type": "integer" }, "analyzedSections": { "type": "array", "items": { "type": "string" } } } } } }