/**
* Security Atoms - Canonical propositions for vulnerability disposition.
* Sprint: SPRINT_3600_0001_0001 (Trust Algebra and Lattice Engine)
* Task: TRUST-002
*
* Defines the orthogonal atomic propositions used to represent security
* knowledge about a Subject (artifact + component + vulnerability).
*
* External VEX formats (CycloneDX, OpenVEX, CSAF) are normalized into
* these canonical atoms for uniform aggregation and decision making.
*/
namespace StellaOps.Policy.TrustLattice;
///
/// Canonical security propositions for vulnerability disposition.
/// Each atom is a boolean proposition that can have a K4 truth value.
///
///
/// These atoms are intentionally orthogonal; external VEX formats
/// are normalized into combinations of these atoms.
///
public enum SecurityAtom
{
///
/// PRESENT: The component instance exists in the artifact/context.
/// False when component is not actually in the artifact despite declaration.
///
Present = 1,
///
/// APPLIES: The vulnerability applies to this component (version/range/CPE match).
/// False when version is outside affected range.
///
Applies = 2,
///
/// REACHABLE: The vulnerable code is reachable in the given execution context.
/// False when code paths to vulnerability are not exercised.
///
Reachable = 3,
///
/// MITIGATED: Controls exist that prevent exploitation.
/// True when compiler protections, runtime guards, WAF rules, etc. are active.
///
Mitigated = 4,
///
/// FIXED: Remediation has been applied to the artifact.
/// True when patches, upgrades, or other fixes are in place.
///
Fixed = 5,
///
/// MISATTRIBUTED: The finding is a false association (false positive).
/// True when the vulnerability was incorrectly linked to this component.
///
Misattributed = 6,
}
///
/// Extension methods for SecurityAtom.
///
public static class SecurityAtomExtensions
{
///
/// Returns a human-readable display name for the atom.
///
public static string ToDisplayName(this SecurityAtom atom) => atom switch
{
SecurityAtom.Present => "Component Present",
SecurityAtom.Applies => "Vulnerability Applies",
SecurityAtom.Reachable => "Code Reachable",
SecurityAtom.Mitigated => "Mitigations Active",
SecurityAtom.Fixed => "Remediation Applied",
SecurityAtom.Misattributed => "False Association",
_ => atom.ToString(),
};
///
/// Returns the canonical string representation for serialization.
///
public static string ToCanonicalName(this SecurityAtom atom) => atom switch
{
SecurityAtom.Present => "PRESENT",
SecurityAtom.Applies => "APPLIES",
SecurityAtom.Reachable => "REACHABLE",
SecurityAtom.Mitigated => "MITIGATED",
SecurityAtom.Fixed => "FIXED",
SecurityAtom.Misattributed => "MISATTRIBUTED",
_ => atom.ToString().ToUpperInvariant(),
};
///
/// Parses a canonical name to SecurityAtom.
///
public static SecurityAtom? FromCanonicalName(string name)
{
return name?.ToUpperInvariant() switch
{
"PRESENT" => SecurityAtom.Present,
"APPLIES" => SecurityAtom.Applies,
"REACHABLE" => SecurityAtom.Reachable,
"MITIGATED" => SecurityAtom.Mitigated,
"FIXED" => SecurityAtom.Fixed,
"MISATTRIBUTED" => SecurityAtom.Misattributed,
_ => null,
};
}
///
/// Returns all defined security atoms.
///
public static IEnumerable All()
{
yield return SecurityAtom.Present;
yield return SecurityAtom.Applies;
yield return SecurityAtom.Reachable;
yield return SecurityAtom.Mitigated;
yield return SecurityAtom.Fixed;
yield return SecurityAtom.Misattributed;
}
}