4dc7cf834a
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Console CI / console-ci (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
VEX Proof Bundles / verify-bundles (push) Has been cancelled
- Introduced sample proof bundle configuration files for testing, including `sample-proof-bundle-config.dsse.json`, `sample-proof-bundle.dsse.json`, and `sample-proof-bundle.json`. - Implemented a verification script `test_verify_sample.sh` to validate proof bundles against specified schemas and catalogs. - Updated existing proof bundle configurations with new metadata, including versioning, created timestamps, and justification details. - Enhanced evidence entries with expiration dates and hashes for better integrity checks. - Ensured all new configurations adhere to the defined schema for consistency and reliability in testing.
266 lines
6.9 KiB
JSON
266 lines
6.9 KiB
JSON
{
|
|
"version": "1.0.0",
|
|
"generated_at": "2025-12-04T00:00:00Z",
|
|
"entries": [
|
|
{
|
|
"id": "VEX1.vulnerable_code_not_present",
|
|
"title": "Vulnerable code removed or not shipped",
|
|
"description": "Binary artifacts do not contain the vulnerable code paths; validated via reachability graph and reproducible build metadata.",
|
|
"applicability": [
|
|
"not_affected"
|
|
],
|
|
"required_evidence": [
|
|
"graph_hash",
|
|
"entrypoint_coverage>=95",
|
|
"negative_tests",
|
|
"config_hash"
|
|
],
|
|
"expiry_days": 90,
|
|
"reevaluate_on": [
|
|
"sbom_change",
|
|
"graph_change",
|
|
"runtime_change"
|
|
],
|
|
"rbac": [
|
|
"vex-author",
|
|
"policy-admin"
|
|
],
|
|
"policy_links": [
|
|
"docs/policy/dsl.md#requirevex"
|
|
],
|
|
"uncertainty_gate": "U1-low"
|
|
},
|
|
{
|
|
"id": "VEX2.component_not_present",
|
|
"title": "Component not present in runtime image",
|
|
"description": "SBOM and runtime inventory confirm the vulnerable component is absent from the shipped artifact.",
|
|
"applicability": [
|
|
"not_affected"
|
|
],
|
|
"required_evidence": [
|
|
"sbom_digest",
|
|
"runtime_inventory",
|
|
"config_hash"
|
|
],
|
|
"expiry_days": 60,
|
|
"reevaluate_on": [
|
|
"sbom_change",
|
|
"runtime_change"
|
|
],
|
|
"rbac": [
|
|
"vex-author"
|
|
],
|
|
"policy_links": [
|
|
"docs/modules/excititor/architecture.md#normalization"
|
|
],
|
|
"uncertainty_gate": "U1-low"
|
|
},
|
|
{
|
|
"id": "VEX3.config_not_vulnerable",
|
|
"title": "Configuration disables vulnerable feature",
|
|
"description": "Configuration and feature flags disable the vulnerable execution path; enforced by config/flag hashing and negative tests.",
|
|
"applicability": [
|
|
"not_affected"
|
|
],
|
|
"required_evidence": [
|
|
"config_hash",
|
|
"flags_hash",
|
|
"negative_tests"
|
|
],
|
|
"expiry_days": 45,
|
|
"reevaluate_on": [
|
|
"config_change",
|
|
"flags_change",
|
|
"runtime_change"
|
|
],
|
|
"rbac": [
|
|
"vex-author",
|
|
"release-manager"
|
|
],
|
|
"policy_links": [
|
|
"docs/benchmarks/vex-evidence-playbook.md"
|
|
],
|
|
"uncertainty_gate": "U2-medium"
|
|
},
|
|
{
|
|
"id": "VEX4.vulnerable_code_not_in_execute_path",
|
|
"title": "Code not reachable from declared entrypoints",
|
|
"description": "Reachability analysis shows no call paths from declared entrypoints to vulnerable functions; runtime probes corroborate.",
|
|
"applicability": [
|
|
"not_affected"
|
|
],
|
|
"required_evidence": [
|
|
"graph_hash",
|
|
"entrypoint_coverage>=95",
|
|
"runtime_traces"
|
|
],
|
|
"expiry_days": 45,
|
|
"reevaluate_on": [
|
|
"graph_change",
|
|
"runtime_change"
|
|
],
|
|
"rbac": [
|
|
"vex-author",
|
|
"signals-operator"
|
|
],
|
|
"policy_links": [
|
|
"docs/reachability/function-level-evidence.md"
|
|
],
|
|
"uncertainty_gate": "U1-low"
|
|
},
|
|
{
|
|
"id": "VEX5.mitigated_by_runtime_guard",
|
|
"title": "Runtime guard blocks exploitation",
|
|
"description": "Exploit is prevented by runtime guardrails (WAF/sandbox/feature flag) proven via negative test and telemetry.",
|
|
"applicability": [
|
|
"not_affected",
|
|
"affected"
|
|
],
|
|
"required_evidence": [
|
|
"runtime_traces",
|
|
"negative_tests",
|
|
"guard_policy"
|
|
],
|
|
"expiry_days": 30,
|
|
"reevaluate_on": [
|
|
"runtime_change",
|
|
"policy_change"
|
|
],
|
|
"rbac": [
|
|
"vex-author",
|
|
"security-ops"
|
|
],
|
|
"policy_links": [
|
|
"docs/uncertainty/README.md"
|
|
],
|
|
"uncertainty_gate": "U2-medium"
|
|
},
|
|
{
|
|
"id": "VEX6.compensating_control_documented",
|
|
"title": "Compensating control accepted",
|
|
"description": "A documented compensating control reduces exploitability; requires approval evidence and expiry.",
|
|
"applicability": [
|
|
"affected",
|
|
"under_investigation"
|
|
],
|
|
"required_evidence": [
|
|
"control_record",
|
|
"rbac_approval",
|
|
"expiry"
|
|
],
|
|
"expiry_days": 30,
|
|
"reevaluate_on": [
|
|
"policy_change",
|
|
"expiry"
|
|
],
|
|
"rbac": [
|
|
"policy-admin",
|
|
"risk-owner"
|
|
],
|
|
"policy_links": [
|
|
"docs/migration/exception-governance.md"
|
|
],
|
|
"uncertainty_gate": "U3-high"
|
|
},
|
|
{
|
|
"id": "VEX7.update_available",
|
|
"title": "Update available and staged",
|
|
"description": "Fix is available and staged for rollout; VEX documents status and planned activation window.",
|
|
"applicability": [
|
|
"affected",
|
|
"fixed"
|
|
],
|
|
"required_evidence": [
|
|
"fixed_version",
|
|
"staging_hash",
|
|
"rollout_window"
|
|
],
|
|
"expiry_days": 15,
|
|
"reevaluate_on": [
|
|
"rollout_change"
|
|
],
|
|
"rbac": [
|
|
"release-manager"
|
|
],
|
|
"policy_links": [
|
|
"docs/ui/advisories-and-vex.md"
|
|
],
|
|
"uncertainty_gate": "U2-medium"
|
|
},
|
|
{
|
|
"id": "VEX8.analysis_ongoing",
|
|
"title": "Analysis ongoing with SLA",
|
|
"description": "Investigation underway with defined SLA and evidence collection plan.",
|
|
"applicability": [
|
|
"under_investigation"
|
|
],
|
|
"required_evidence": [
|
|
"investigation_plan",
|
|
"sla_date",
|
|
"owner"
|
|
],
|
|
"expiry_days": 7,
|
|
"reevaluate_on": [
|
|
"sla_date"
|
|
],
|
|
"rbac": [
|
|
"vex-author"
|
|
],
|
|
"policy_links": [
|
|
"docs/modules/excititor/architecture.md#normalization"
|
|
],
|
|
"uncertainty_gate": "U3-high"
|
|
},
|
|
{
|
|
"id": "VEX9.eol_not_applicable",
|
|
"title": "Product out of scope / EOL",
|
|
"description": "Asset is out of scope or end-of-life and isolated; policy enforces quarantine rather than blanket ignore.",
|
|
"applicability": [
|
|
"not_affected"
|
|
],
|
|
"required_evidence": [
|
|
"asset_scope",
|
|
"quarantine_policy",
|
|
"rbac_approval"
|
|
],
|
|
"expiry_days": 30,
|
|
"reevaluate_on": [
|
|
"asset_change"
|
|
],
|
|
"rbac": [
|
|
"policy-admin"
|
|
],
|
|
"policy_links": [
|
|
"docs/observability/policy.md"
|
|
],
|
|
"uncertainty_gate": "U2-medium"
|
|
},
|
|
{
|
|
"id": "VEX10.false_positive_proven",
|
|
"title": "Scanner false positive disproven",
|
|
"description": "Deterministic reproduction shows the vulnerability is not actually present; includes counter-evidence and replay seed.",
|
|
"applicability": [
|
|
"not_affected"
|
|
],
|
|
"required_evidence": [
|
|
"replay_manifest",
|
|
"negative_tests",
|
|
"sbom_digest"
|
|
],
|
|
"expiry_days": 45,
|
|
"reevaluate_on": [
|
|
"scanner_update",
|
|
"sbom_change"
|
|
],
|
|
"rbac": [
|
|
"vex-author",
|
|
"qa"
|
|
],
|
|
"policy_links": [
|
|
"docs/replay/DETERMINISTIC_REPLAY.md"
|
|
],
|
|
"uncertainty_gate": "U1-low"
|
|
}
|
|
]
|
|
}
|