# Advisory architecture alignment Purpose - Summarize alignment with advisory architecture requirements. - Capture supported formats, evidence types, and known gaps. DSSE predicate types - https://in-toto.io/attestation/slsa/v1.0 (Attestor) - stella.ops/sbom@v1 (Scanner) - stella.ops/vex@v1 (Excititor) - stella.ops/callgraph@v1 (Scanner.Reachability) - stella.ops/reachabilityWitness@v1 (Scanner.Reachability) - stella.ops/policy-decision@v1 (Policy.Engine) - stella.ops/score-attestation@v1 (Policy.Scoring) - stella.ops/witness@v1 (Scanner.Reachability) - stella.ops/drift@v1 (Scanner.ReachabilityDrift) - stella.ops/unknown@v1 (Scanner.Unknowns) - stella.ops/triage@v1 (Scanner.Triage) - stella.ops/vuln-surface@v1 (Scanner.VulnSurfaces) - stella.ops/trigger@v1 (Scanner.VulnSurfaces) - stella.ops/explanation@v1 (Scanner.Reachability) - stella.ops/boundary@v1 (Scanner.SmartDiff) - stella.ops/evidence@v1 (Scanner.SmartDiff) - stella.ops/approval@v1 (Policy.Engine) - stella.ops/component@v1 (Scanner.Emit) - stella.ops/richgraph@v1 (Scanner.Reachability) VEX and advisory formats - OpenVEX 0.2.0+ - CycloneDX VEX 1.4 to 1.6 - CSAF 2.0 - OSV CVSS and scoring - CVSS v4 vector parsing with macrovector and environmental metrics. - Deterministic scoring with canonical JSON, stable ordering, and hashed snapshots. EPSS handling - EPSS uses model_date (daily) rather than numbered versions. - Scores and percentiles are stored with model_date and captured at scan time. - Offline bundles include EPSS data and hashes for air-gapped replay. Reachability analysis - Hybrid static and runtime reachability evidence. - Call graph extraction for .NET, Java, Node.js, Python, Go (external tooling), and native binaries. Call-stack witnesses - Signed witnesses for entrypoint-to-sink paths. - Witnesses are stored as content-addressed artifacts with DSSE signatures. Smart-diff rules - New finding detection. - Score increase detection. - VEX status change detection. - Reachability change detection. Unknowns handling - Unknown types: missing_vex, ambiguous_indirect_call, unanalyzed_dependency, stale_sbom, missing_reachability, unmatched_cpe, conflict_vex, native_code, generated_code, dynamic_dispatch, external_boundary. - Scoring dimensions: blast radius, evidence scarcity, exploit pressure, containment signals, time decay. CycloneDX baseline - Current baseline is CycloneDX 1.6; upgrade to 1.7 when SDK support is available. Areas beyond baseline requirements - Offline and air-gap operation with bundled proofs. - Regional crypto readiness (GOST, SM2/SM3, PQ-ready modes). - Multi-tenant isolation and signed transparency integration. - Native binary analysis for PE, ELF, and Mach-O.