Files

Vladimir Moushkov 1995883476

Docs CI / lint-and-preview (push) Has been cancelled

Details

Add Decision Capsules, hybrid reachability, and evidence-linked VEX docs

Introduces new marketing bridge documents for Decision Capsules, Hybrid Reachability, and Evidence-Linked VEX. Updates product vision, README, key features, moat, reachability, and VEX consensus docs to reflect four differentiating capabilities: signed reachability (hybrid static/runtime), deterministic replay, explainable policy with evidence-linked VEX, and sovereign/offline operation. All scan decisions are now described as sealed, reproducible, and audit-grade, with explicit handling of 'Unknown' states and hybrid reachability evidence.

2025-12-11 14:15:07 +02:00

8.6 KiB

Raw Permalink Blame History

Evidence-Linked VEX — Proof-Backed Vulnerability Decisions

Status: Marketing Bridge Document · December 2025 Audience: Technical buyers, security architects, compliance teams

Executive Summary

Stella Ops isn't just another scanner—it's a different product category: deterministic, evidence-linked vulnerability decisions that survive auditors, regulators, and supply-chain propagation.

Evidence-Linked VEX is how those decisions are structured: every vulnerability status assertion includes pointers to the underlying proof. Unlike traditional VEX that simply states "not_affected" without explanation, Stella Ops provides a complete evidence graph connecting the decision to its inputs.

Key message: "VEX you can prove."

What is Evidence-Linked VEX?

Every VEX decision in Stella Ops links to an evidence graph containing:

Evidence Type	Description	Link Format
SBOM match	Component identity confirmation	`sbom_hash`, `purl`
Vuln snapshot	Exact advisory data at decision time	`advisory_snapshot_id`
Reachability proof	Static/runtime analysis artifacts	`reach_decision_id`, `graph_hash`
Runtime observation	Process traces, method hits	`runtime_trace_id`
Mitigation evidence	WAF rules, config flags, patches	`mitigation_id`

┌────────────────────────────────────────────────────────────┐
│              VEX Decision: NOT_AFFECTED                     │
├────────────────────────────────────────────────────────────┤
│                                                              │
│  "CVE-2025-1234 does not affect pkg:nuget/Example@1.2.3"   │
│                                                              │
│  Evidence Graph:                                             │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐     │
│  │ SBOM Match  │───▶│ Vuln Record │───▶│ Reach Proof │     │
│  │ sha256:abc  │    │ nvd-snap-01 │    │ graph:xyz   │     │
│  └─────────────┘    └─────────────┘    └─────────────┘     │
│                                              │               │
│                                              ▼               │
│                                        ┌─────────────┐      │
│                                        │ Runtime Obs │      │
│                                        │ trace:456   │      │
│                                        └─────────────┘      │
└────────────────────────────────────────────────────────────┘

Why Evidence-Linked VEX Matters

The Problem with Traditional VEX

Traditional VEX statements are assertions without proof:

{
  "vulnerability": "CVE-2025-1234",
  "status": "not_affected",
  "justification": "vulnerable_code_not_present"
}

Questions this doesn't answer:

How do you know the vulnerable code isn't present?
What analysis was performed?
Can this decision be independently verified?
What happens when the advisory changes?

The Evidence-Linked Solution

Stella Ops VEX includes proof pointers:

{
  "vulnerability": "CVE-2025-1234",
  "status": "not_affected",
  "justification": "vulnerable_code_not_present",
  "evidence_refs": {
    "sbom": "sha256:abc123...",
    "advisory_snapshot": "nvd-2025-12-01",
    "reachability": {
      "decision_id": "reach:xyz789",
      "graph_hash": "blake3:...",
      "score": 22,
      "state": "POSSIBLE"
    },
    "mitigations": ["mit:waf-rule-123"]
  },
  "replay_bundle": "capsule:2025-12-11-abc"
}

This enables:

Independent verification: Anyone can follow the proof chain
Deterministic replay: Re-run the exact analysis
Audit compliance: Evidence meets regulatory requirements

Explicit "Unknown" State Handling

A key differentiator: Stella Ops explicitly handles incomplete data.

Traditional Approach	Stella Ops Approach
Binary: affected/not_affected	Three states: affected/not_affected/under_investigation
Missing data → assume safe	Missing data → mark "Unknown"
False negatives possible	Incomplete data surfaced explicitly

Why this matters: Incomplete data never leads to false safety. If reachability analysis is inconclusive, the decision stays under_investigation until sufficient evidence is gathered.

Competitive Differentiation

Capability	Stella Ops	Competitors
VEX output	Evidence-linked with proof graph	Simple VEX statements
Verification	Independent proof chain verification	Trust the vendor
Unknown handling	Explicit `under_investigation` state	Binary yes/no
Replay	Bit-for-bit from Decision Capsules	Not possible

Battlecard one-liner: "Competitors export VEX formats; Stella provides VEX you can prove."

Evidence Graph Structure

Full Evidence Chain

Component (PURL)
    │
    ├──▶ SBOM Document
    │       └── digest: sha256:...
    │
    ├──▶ Vulnerability Record
    │       ├── source: NVD
    │       ├── snapshot_id: nvd-2025-12-01
    │       └── digest: sha256:...
    │
    ├──▶ Reachability Analysis
    │       ├── static_graph: blake3:...
    │       ├── runtime_traces: [trace:001, trace:002]
    │       ├── score: 22 (POSSIBLE)
    │       └── evidence: [edge:abc, edge:def]
    │
    ├──▶ Mitigations
    │       ├── waf_rule: rule:xyz
    │       └── config_flag: flag:disabled
    │
    └──▶ Policy Decision
            ├── version: corp-policy@2025-12-01
            ├── digest: sha256:...
            └── threshold: score < 25 → not_affected

Evidence Types

Evidence Kind	Confidence Impact	Source
`StaticCallEdge`	+30 base score	IL/bytecode analysis
`RuntimeMethodHit`	+60 base score	EventPipe/JFR
`UserInputSource`	+80 base score	Taint analysis
`WafRulePresent`	-20 mitigation	WAF connector
`PatchLevel`	-40 mitigation	Patch diff

VEX Propagation

Evidence-Linked VEX enables scalable supply chain sharing:

Generate: Create evidence-linked VEX from scan results
Sign: Apply DSSE signatures with your trust root
Share: Propagate to downstream consumers
Verify: Consumers verify independently using proof pointers

# Generate evidence-linked VEX
stella vex generate --scan scan-123 --format openvex --include-evidence

# Export for downstream
stella vex export --decisions "decision:abc123" --bundle evidence-bundle.tar

# Downstream verification
stella vex verify evidence-bundle.tar --trust-root downstream-ca

Integration with Four Capabilities

Evidence-Linked VEX connects to the four capabilities:

Signed Reachability → Reachability proof in evidence graph
Deterministic Replay → Evidence reproducible via Decision Capsules
Explainable Policy → Policy version and thresholds traced
Sovereign Offline → Evidence verifiable without network

Customer Scenarios

Scenario 1: Vendor VEX Verification

"The vendor says this CVE doesn't affect us—can we trust it?" → Check their evidence graph; verify the reachability analysis matches your deployment.

Scenario 2: Compliance Audit

"Prove this CVE was properly analyzed." → Show the evidence chain from SBOM → advisory → reachability → decision.

Scenario 3: Supply Chain Propagation

"Pass our VEX decisions to downstream consumers." → Export evidence-linked VEX; consumers can independently verify.

docs/vex/consensus-overview.md — VEX consensus engine
docs/reachability/lattice.md — Reachability scoring model
docs/marketing/decision-capsules.md — Decision Capsules overview
docs/marketing/hybrid-reachability.md — Hybrid analysis

8.6 KiB Raw Permalink Blame History