stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/market/claims-citation-index.md
StellaOps Bot b058dbe031 up
2025-12-14 23:20:14 +02:00

9.6 KiB
Raw Permalink Blame History

Competitive Claims Citation Index

Purpose

This document is the authoritative source for all competitive positioning claims made by StellaOps. All marketing materials, sales collateral, and documentation must reference claims from this index to ensure accuracy and consistency.

Last Updated: 2025-12-14 Next Review: 2026-03-14

Claim Categories

1. Determinism Claims

ID Claim Evidence Confidence Verified Next Review
DET-001 "StellaOps produces bit-identical scan outputs given identical inputs" tests/determinism/ golden fixtures; CI workflow scanner-determinism.yml High 2025-12-14 2026-03-14
DET-002 "All CVSS scoring decisions are receipted with cryptographic InputHash" ReceiptBuilder.cs:164-190; InputHash computation implementation High 2025-12-14 2026-03-14
DET-003 "No competitor offers deterministic replay manifests for audit-grade reproducibility" Source audit: Trivy v0.55, Grype v0.80, Snyk CLI v1.1292 High 2025-12-14 2026-03-14

2. Reachability Claims

ID Claim Evidence Confidence Verified Next Review
REACH-001 "Hybrid static + runtime reachability analysis reduces noise by 60-85%" docs/product-advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md High 2025-12-14 2026-03-14
REACH-002 "Signed reachability graphs with DSSE attestation" src/Attestor/ module; DSSE envelope implementation High 2025-12-14 2026-03-14
REACH-003 "~85% of critical vulnerabilities in containers are in inactive code" Sysdig 2024 Container Security Report (external) Medium 2025-11-01 2026-02-01
REACH-004 "Multi-language support: Java, C#, Go, JavaScript, TypeScript, Python" Language analyzer implementations in src/Scanner/Analyzers/ High 2025-12-14 2026-03-14

3. VEX & Lattice Claims

ID Claim Evidence Confidence Verified Next Review
VEX-001 "OpenVEX lattice semantics with deterministic state transitions" src/Excititor/ VEX engine; lattice documentation High 2025-12-14 2026-03-14
VEX-002 "VEX consensus from multiple sources (vendor, tool, analyst)" VexConsensusRefreshService.cs; consensus algorithm High 2025-12-14 2026-03-14
VEX-003 "Seven-state lattice: CR, SR, SU, DT, DV, DA, U" docs/product-advisories/14-Dec-2025 - Triage and Unknowns Technical Reference.md High 2025-12-14 2026-03-14

4. Attestation Claims

ID Claim Evidence Confidence Verified Next Review
ATT-001 "DSSE-signed attestations for all evidence artifacts" src/Attestor/StellaOps.Attestor.Envelope/ High 2025-12-14 2026-03-14
ATT-002 "Optional Sigstore Rekor transparency logging" src/Attestor/StellaOps.Attestor.Rekor/ integration High 2025-12-14 2026-03-14
ATT-003 "in-toto attestation format support" in-toto predicates in attestation module High 2025-12-14 2026-03-14
ATT-004 "Regional crypto support: eIDAS, FIPS, GOST, SM" StellaOps.Cryptography with plugin architecture Medium 2025-12-14 2026-03-14

5. Offline & Air-Gap Claims

ID Claim Evidence Confidence Verified Next Review
OFF-001 "Full offline/air-gap operation capability" docs/airgap/; offline kit implementation High 2025-12-14 2026-03-14
OFF-002 "Offline scans produce identical results to online (same advisory date)" docs/airgap/offline-parity-verification.md (pending) Medium TBD TBD
OFF-003 "Risk bundles include NVD, KEV, EPSS data" docs/airgap/risk-bundles.md; bundle manifest schema High 2025-12-14 2026-03-14
OFF-004 "DSSE-signed offline bundles for integrity verification" Bundle signing implementation High 2025-12-14 2026-03-14

6. CVSS & Risk Scoring Claims

ID Claim Evidence Confidence Verified Next Review
CVSS-001 "Full CVSS v4.0 MacroVector-based scoring with 324 lookup combinations" MacroVectorLookup.cs High 2025-12-14 2026-03-14
CVSS-002 "Support for CVSS v2.0, v3.0, v3.1, and v4.0 vectors" CvssV2Engine.cs, CvssV3Engine.cs, CvssEngineFactory.cs High 2025-12-14 2026-03-14
CVSS-003 "Threat Metrics (Exploit Maturity) integration per v4.0 spec" CvssV4Engine.cs:365-375 High 2025-12-14 2026-03-14
CVSS-004 "EPSS percentile-based risk bonuses (99th=+10%, 90th=+5%, 50th=+2%)" CvssKevEpssProvider.cs High 2025-12-14 2026-03-14
CVSS-005 "KEV (Known Exploited Vulnerabilities) +20% risk bonus" CvssKevProvider.cs:33 High 2025-12-14 2026-03-14

7. SBOM Claims

ID Claim Evidence Confidence Verified Next Review
SBOM-001 "SPDX 3.0.1 and CycloneDX 1.6 output formats" SBOM generator implementations High 2025-12-14 2026-03-14
SBOM-002 "Multi-ecosystem support: APK, DEB, RPM, npm, Maven, NuGet, PyPI, Go, Cargo" Ecosystem analyzers in src/Scanner/ High 2025-12-14 2026-03-14
SBOM-003 "Deterministic SBOM generation (same image = same SBOM)" SBOM determinism tests High 2025-12-14 2026-03-14

Competitive Comparison Claims

vs. Trivy

ID Claim Evidence Confidence Verified Next Review
COMP-TRIVY-001 "Trivy lacks lattice VEX semantics (boolean only)" Trivy v0.55.0 source: pkg/vex/ High 2025-12-14 2026-03-14
COMP-TRIVY-002 "Trivy lacks deterministic replay manifests" Trivy v0.55.0 source audit High 2025-12-14 2026-03-14
COMP-TRIVY-003 "Trivy lacks native reachability analysis" Trivy v0.55.0 feature matrix High 2025-12-14 2026-03-14

vs. Grype

ID Claim Evidence Confidence Verified Next Review
COMP-GRYPE-001 "Grype lacks DSSE attestation signing" Grype v0.80.0 source audit High 2025-12-14 2026-03-14
COMP-GRYPE-002 "Grype lacks VEX state lattice (affected/not_affected only)" Grype v0.80.0 VEX implementation High 2025-12-14 2026-03-14
COMP-GRYPE-003 "Grype lacks CVSS v4.0 scoring" Grype v0.80.0 feature matrix Medium 2025-12-14 2026-03-14

vs. Snyk

ID Claim Evidence Confidence Verified Next Review
COMP-SNYK-001 "Snyk lacks deterministic replay manifests" Snyk CLI v1.1292 audit High 2025-12-14 2026-03-14
COMP-SNYK-002 "Snyk's reachability is limited to specific languages" Snyk documentation review Medium 2025-12-14 2026-03-14
COMP-SNYK-003 "Snyk lacks offline/air-gap capability" Snyk architecture documentation High 2025-12-14 2026-03-14

Confidence Levels

Level Percentage Definition
High 80-100% Verified against source code or authoritative documentation
Medium 50-80% Based on documentation or limited testing; needs deeper verification
Low <50% Unverified or based on indirect evidence; requires validation

Update Process

Verification Schedule

  1. Quarterly Review: All claims reviewed every 90 days
  2. Major Version Triggers: Re-verify when competitors release major versions
  3. Market Events: Re-verify after significant market announcements

Verification Steps

  1. Source Audit: Review competitor source code (if open source)
  2. Documentation Review: Check official documentation
  3. Feature Testing: Test specific features when possible
  4. Third-Party Sources: Cross-reference analyst reports

Update Workflow

1. Identify claim requiring update
2. Conduct verification per type
3. Update evidence column
4. Update confidence level if changed
5. Set new verified date
6. Set next review date
7. Document changes in execution log

Deprecation Policy

Stale Claims

Claims older than 6 months without verification are marked STALE:

  • STALE claims must NOT be used in external communications
  • STALE claims require immediate re-verification or removal
  • Marketing team notified of all STALE claims

Invalidated Claims

When a claim becomes false (e.g., competitor adds feature):

  1. Mark claim as INVALID
  2. Remove from all active materials within 7 days
  3. Update competitive documentation
  4. Notify stakeholders

Usage Guidelines

For Marketing

  • Reference claims by ID (e.g., "Per DET-001...")
  • Include verification date in footnotes
  • Do not paraphrase claims without SME review

For Sales

  • Use claims matrix for competitive conversations
  • Check confidence levels before customer commitments
  • Report feedback on claim accuracy

For Documentation

  • Link to this index for competitive statements
  • Update cross-references when claims change
  • Flag questionable claims to Docs Guild

Execution Log

Date Update Owner
2025-12-14 Initial claims index created Docs Guild
2025-12-14 Added CVSS v2/v3 engine claims (CVSS-002) AI Implementation
2025-12-14 Added EPSS integration claims (CVSS-004) AI Implementation

References

  • docs/product-advisories/14-Dec-2025 - CVSS and Competitive Analysis Technical Reference.md
  • docs/market/competitive-landscape.md
  • docs/benchmarks/accuracy-metrics-framework.md