stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/features/checked/scanner/falsification-conditions-per-finding.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

1.7 KiB
Raw Permalink Blame History

Falsification Conditions Per Finding

Module

Scanner

Status

VERIFIED

Description

Each vulnerability finding includes falsification conditions -- specific criteria that would disprove the finding, enabling evidence-based triage and automatic dismissal when conditions are met.

Implementation Details

  • Core Models:
    • src/Scanner/__Libraries/StellaOps.Scanner.Core/Models/FalsificationConditions.cs - Falsification conditions model attached to findings
  • Falsifiability Generation:
    • src/Scanner/__Libraries/StellaOps.Scanner.Explainability/Falsifiability/FalsifiabilityGenerator.cs - Generates falsification criteria per finding
    • src/Scanner/__Libraries/StellaOps.Scanner.Explainability/Falsifiability/FalsifiabilityCriteria.cs - Criteria model defining what would disprove a finding
  • DSSE Integration:
    • src/Scanner/__Libraries/StellaOps.Scanner.Explainability/Dsse/ExplainabilityPredicateSerializer.cs - Serializes falsification conditions in DSSE predicates

E2E Test Plan

  • Scan an image and verify vulnerability findings include falsification conditions
  • Verify falsification criteria specify concrete conditions (e.g., "function X is not called", "package Y is not in runtime classpath")
  • Verify automatic dismissal occurs when falsification conditions are met by evidence (e.g., reachability proves function is unreachable)
  • Verify falsification conditions are serialized in explainability predicates
  • Verify triage UI displays falsification conditions to help analysts evaluate findings

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z