6e45066e37
Some checks failed
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
69 lines
2.6 KiB
JSON
69 lines
2.6 KiB
JSON
{
|
|
"@context": "https://openvex.dev/ns/v0.2.0",
|
|
"@id": "https://stellaops.example/vex/2025-12-13/CVE-2023-XXXXX-not-affected",
|
|
"author": "StellaOps Policy Engine",
|
|
"role": "automated-scanner",
|
|
"timestamp": "2025-12-13T10:00:00Z",
|
|
"version": 1,
|
|
"tooling": "StellaOps/1.0.0",
|
|
"statements": [
|
|
{
|
|
"vulnerability": {
|
|
"@id": "CVE-2023-XXXXX",
|
|
"name": "CVE-2023-XXXXX",
|
|
"description": "Example vulnerability in deprecated API."
|
|
},
|
|
"products": [
|
|
{
|
|
"@id": "pkg:oci/myapp@sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
|
|
"identifiers": {
|
|
"purl": "pkg:oci/myapp@sha256:abc123def456789012345678901234567890123456789012345678901234abcd"
|
|
},
|
|
"subcomponents": [
|
|
{
|
|
"@id": "pkg:maven/com.example/deprecated-lib@1.0.0",
|
|
"identifiers": {
|
|
"purl": "pkg:maven/com.example/deprecated-lib@1.0.0"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"status": "not_affected",
|
|
"justification": "vulnerable_code_not_in_execute_path",
|
|
"impact_statement": "The deprecated API containing the vulnerable code path is not reachable from any entry point. Static analysis found no paths, and runtime probes observed zero invocations over 72 hours.",
|
|
"stellaops:reachability": {
|
|
"state": "CU",
|
|
"state_description": "ConfirmedUnreachable",
|
|
"confidence": 0.88,
|
|
"graph_hash": "blake3:d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5",
|
|
"graph_cas_uri": "cas://reachability/graphs/d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5",
|
|
"dsse_uri": "cas://reachability/graphs/d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5.dsse",
|
|
"path": [],
|
|
"path_length": 0,
|
|
"evidence": {
|
|
"static": {
|
|
"graph_hash": "blake3:d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5",
|
|
"path_length": 0,
|
|
"confidence": 0.85,
|
|
"analysis_note": "No path found from any root to vulnerable symbol"
|
|
},
|
|
"runtime": {
|
|
"probe_id": "probe:jfr:scan-456-001",
|
|
"hit_count": 0,
|
|
"observed_at": "2025-12-13T09:45:00Z",
|
|
"observation_window": "72h",
|
|
"analysis_note": "Zero invocations observed during 72-hour monitoring window"
|
|
}
|
|
},
|
|
"fact_digest": "sha256:f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7",
|
|
"fact_version": 2,
|
|
"analyzer": {
|
|
"name": "scanner.java",
|
|
"version": "1.2.0"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|