stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/vuln/findings-ledger.md
StellaOps Bot 18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00

3.0 KiB
Raw Permalink Blame History

Findings Ledger (Vuln Explorer) — Event Model & Replay (Md.XI draft)

Status: DRAFT — depends on GRAP0101 alignment and security review. Do not publish until hashes and schema cross-checks are complete.

Scope

  • Explain event schema, hashing strategy, Merkle roots, and replay tooling as consumed by Vuln Explorer.
  • Align with canonical ledger docs: docs/modules/findings-ledger/schema.md, merkle-anchor-policy.md, replay-harness.md.
  • Provide deterministic examples and hash manifests (record in docs/assets/vuln-explorer/SHA256SUMS).

Dependencies

Input Status Notes
GRAP0101 contract pending Confirm field names/identifiers to keep Explorer/ledger in sync.
Security review (hashing/attachments) pending Required before publication.
Replay fixtures available See docs/modules/findings-ledger/replay-harness.md and golden-checksums.json.

Event Schema (summary)

  • finding_records (canonical): includes advisory/VEX/SBOM refs, policyVersion, sourceRunId, explainBundleRef, tenant, artifact identifiers.
  • finding_history: append-only transitions with actor, scope, justification, timestamps (UTC, ISO-8601), hash-chained.
  • triage_actions: discrete operator actions (comment, assign, remediation, ticket link) with immutable provenance.
  • remediation_plans: planned fixes linked to findings; optional due dates and checkpoints.

See docs/modules/findings-ledger/schema.md for authoritative field names; update this section when GRAP0101 finalizes.

Hashing & Merkle Roots

  • Per-event SHA-256 digests; history and actions chained by previous hash to ensure tamper evidence.
  • Periodic Merkle roots anchored per tenant + artifact namespace; policy version included in leaf payloads.
  • Export bundles carry manifest.json + audit_log.jsonl with hashes; verify against Merkle roots.

Replay & Verification

  • Replay harness (replay-harness.md) replays finding_history + triage_actions to reconstruct finding_records and compare hashes.
  • Use golden-checksums.json to validate deterministic output; include hash of replay output in SHA256SUMS once fixtures copied here.

Offline/Determinism Notes

  • All sample logs/responses added to this doc must have hashes recorded in docs/assets/vuln-explorer/SHA256SUMS.
  • Use fixed fixture IDs; avoid live timestamps; maintain sorted outputs.

Hash Capture Checklist (when fixtures are pulled)

  • assets/vuln-explorer/ledger-history.jsonl (sample history entries)
  • assets/vuln-explorer/ledger-actions.jsonl (triage actions snippet)
  • assets/vuln-explorer/ledger-replay-output.json (replay harness output)
  • assets/vuln-explorer/ledger-manifest.json (export manifest sample)

Open Items

  • Replace schema placeholders once GRAP0101 and security review land.
  • Add sample history/action entries and replay verification commands with hashes.
  • Document attachment token validation path when security review provides final wording.

Last updated: 2025-12-05 (UTC)