stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
00d2c99af94dfd42dd599b66285e3926b38a4d4f
git.stella-ops.org/docs/market/claims-citation-index.md
StellaOps Bot b058dbe031 up
2025-12-14 23:20:14 +02:00

200 lines
9.6 KiB
Markdown
Raw Blame History

# Competitive Claims Citation Index
## Purpose
This document is the **authoritative source** for all competitive positioning claims made by StellaOps. All marketing materials, sales collateral, and documentation must reference claims from this index to ensure accuracy and consistency.
**Last Updated:** 2025-12-14
**Next Review:** 2026-03-14
---
## Claim Categories
### 1. Determinism Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| DET-001 | "StellaOps produces bit-identical scan outputs given identical inputs" | `tests/determinism/` golden fixtures; CI workflow `scanner-determinism.yml` | High | 2025-12-14 | 2026-03-14 |
| DET-002 | "All CVSS scoring decisions are receipted with cryptographic InputHash" | `ReceiptBuilder.cs:164-190`; InputHash computation implementation | High | 2025-12-14 | 2026-03-14 |
| DET-003 | "No competitor offers deterministic replay manifests for audit-grade reproducibility" | Source audit: Trivy v0.55, Grype v0.80, Snyk CLI v1.1292 | High | 2025-12-14 | 2026-03-14 |
### 2. Reachability Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| REACH-001 | "Hybrid static + runtime reachability analysis reduces noise by 60-85%" | `docs/product-advisories/14-Dec-2025 - Reachability Analysis Technical Reference.md` | High | 2025-12-14 | 2026-03-14 |
| REACH-002 | "Signed reachability graphs with DSSE attestation" | `src/Attestor/` module; DSSE envelope implementation | High | 2025-12-14 | 2026-03-14 |
| REACH-003 | "~85% of critical vulnerabilities in containers are in inactive code" | Sysdig 2024 Container Security Report (external) | Medium | 2025-11-01 | 2026-02-01 |
| REACH-004 | "Multi-language support: Java, C#, Go, JavaScript, TypeScript, Python" | Language analyzer implementations in `src/Scanner/Analyzers/` | High | 2025-12-14 | 2026-03-14 |
### 3. VEX & Lattice Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| VEX-001 | "OpenVEX lattice semantics with deterministic state transitions" | `src/Excititor/` VEX engine; lattice documentation | High | 2025-12-14 | 2026-03-14 |
| VEX-002 | "VEX consensus from multiple sources (vendor, tool, analyst)" | `VexConsensusRefreshService.cs`; consensus algorithm | High | 2025-12-14 | 2026-03-14 |
| VEX-003 | "Seven-state lattice: CR, SR, SU, DT, DV, DA, U" | `docs/product-advisories/14-Dec-2025 - Triage and Unknowns Technical Reference.md` | High | 2025-12-14 | 2026-03-14 |
### 4. Attestation Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| ATT-001 | "DSSE-signed attestations for all evidence artifacts" | `src/Attestor/StellaOps.Attestor.Envelope/` | High | 2025-12-14 | 2026-03-14 |
| ATT-002 | "Optional Sigstore Rekor transparency logging" | `src/Attestor/StellaOps.Attestor.Rekor/` integration | High | 2025-12-14 | 2026-03-14 |
| ATT-003 | "in-toto attestation format support" | in-toto predicates in attestation module | High | 2025-12-14 | 2026-03-14 |
| ATT-004 | "Regional crypto support: eIDAS, FIPS, GOST, SM" | `StellaOps.Cryptography` with plugin architecture | Medium | 2025-12-14 | 2026-03-14 |
### 5. Offline & Air-Gap Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| OFF-001 | "Full offline/air-gap operation capability" | `docs/airgap/`; offline kit implementation | High | 2025-12-14 | 2026-03-14 |
| OFF-002 | "Offline scans produce identical results to online (same advisory date)" | `docs/airgap/offline-parity-verification.md` (pending) | Medium | TBD | TBD |
| OFF-003 | "Risk bundles include NVD, KEV, EPSS data" | `docs/airgap/risk-bundles.md`; bundle manifest schema | High | 2025-12-14 | 2026-03-14 |
| OFF-004 | "DSSE-signed offline bundles for integrity verification" | Bundle signing implementation | High | 2025-12-14 | 2026-03-14 |
### 6. CVSS & Risk Scoring Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| CVSS-001 | "Full CVSS v4.0 MacroVector-based scoring with 324 lookup combinations" | `MacroVectorLookup.cs` | High | 2025-12-14 | 2026-03-14 |
| CVSS-002 | "Support for CVSS v2.0, v3.0, v3.1, and v4.0 vectors" | `CvssV2Engine.cs`, `CvssV3Engine.cs`, `CvssEngineFactory.cs` | High | 2025-12-14 | 2026-03-14 |
| CVSS-003 | "Threat Metrics (Exploit Maturity) integration per v4.0 spec" | `CvssV4Engine.cs:365-375` | High | 2025-12-14 | 2026-03-14 |
| CVSS-004 | "EPSS percentile-based risk bonuses (99th=+10%, 90th=+5%, 50th=+2%)" | `CvssKevEpssProvider.cs` | High | 2025-12-14 | 2026-03-14 |
| CVSS-005 | "KEV (Known Exploited Vulnerabilities) +20% risk bonus" | `CvssKevProvider.cs:33` | High | 2025-12-14 | 2026-03-14 |
### 7. SBOM Claims
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| SBOM-001 | "SPDX 3.0.1 and CycloneDX 1.6 output formats" | SBOM generator implementations | High | 2025-12-14 | 2026-03-14 |
| SBOM-002 | "Multi-ecosystem support: APK, DEB, RPM, npm, Maven, NuGet, PyPI, Go, Cargo" | Ecosystem analyzers in `src/Scanner/` | High | 2025-12-14 | 2026-03-14 |
| SBOM-003 | "Deterministic SBOM generation (same image = same SBOM)" | SBOM determinism tests | High | 2025-12-14 | 2026-03-14 |
---
## Competitive Comparison Claims
### vs. Trivy
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| COMP-TRIVY-001 | "Trivy lacks lattice VEX semantics (boolean only)" | Trivy v0.55.0 source: `pkg/vex/` | High | 2025-12-14 | 2026-03-14 |
| COMP-TRIVY-002 | "Trivy lacks deterministic replay manifests" | Trivy v0.55.0 source audit | High | 2025-12-14 | 2026-03-14 |
| COMP-TRIVY-003 | "Trivy lacks native reachability analysis" | Trivy v0.55.0 feature matrix | High | 2025-12-14 | 2026-03-14 |
### vs. Grype
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| COMP-GRYPE-001 | "Grype lacks DSSE attestation signing" | Grype v0.80.0 source audit | High | 2025-12-14 | 2026-03-14 |
| COMP-GRYPE-002 | "Grype lacks VEX state lattice (affected/not_affected only)" | Grype v0.80.0 VEX implementation | High | 2025-12-14 | 2026-03-14 |
| COMP-GRYPE-003 | "Grype lacks CVSS v4.0 scoring" | Grype v0.80.0 feature matrix | Medium | 2025-12-14 | 2026-03-14 |
### vs. Snyk
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| COMP-SNYK-001 | "Snyk lacks deterministic replay manifests" | Snyk CLI v1.1292 audit | High | 2025-12-14 | 2026-03-14 |
| COMP-SNYK-002 | "Snyk's reachability is limited to specific languages" | Snyk documentation review | Medium | 2025-12-14 | 2026-03-14 |
| COMP-SNYK-003 | "Snyk lacks offline/air-gap capability" | Snyk architecture documentation | High | 2025-12-14 | 2026-03-14 |
---
## Confidence Levels
| Level | Percentage | Definition |
|-------|------------|------------|
| **High** | 80-100% | Verified against source code or authoritative documentation |
| **Medium** | 50-80% | Based on documentation or limited testing; needs deeper verification |
| **Low** | <50% | Unverified or based on indirect evidence; requires validation |
---
## Update Process
### Verification Schedule
1. **Quarterly Review**: All claims reviewed every 90 days
2. **Major Version Triggers**: Re-verify when competitors release major versions
3. **Market Events**: Re-verify after significant market announcements
### Verification Steps
1. **Source Audit**: Review competitor source code (if open source)
2. **Documentation Review**: Check official documentation
3. **Feature Testing**: Test specific features when possible
4. **Third-Party Sources**: Cross-reference analyst reports
### Update Workflow
```
1. Identify claim requiring update
2. Conduct verification per type
3. Update evidence column
4. Update confidence level if changed
5. Set new verified date
6. Set next review date
7. Document changes in execution log
```
---
## Deprecation Policy
### Stale Claims
Claims older than **6 months** without verification are marked **STALE**:
- STALE claims must NOT be used in external communications
- STALE claims require immediate re-verification or removal
- Marketing team notified of all STALE claims
### Invalidated Claims
When a claim becomes false (e.g., competitor adds feature):
1. Mark claim as **INVALID**
2. Remove from all active materials within 7 days
3. Update competitive documentation
4. Notify stakeholders
---
## Usage Guidelines
### For Marketing
- Reference claims by ID (e.g., "Per DET-001...")
- Include verification date in footnotes
- Do not paraphrase claims without SME review
### For Sales
- Use claims matrix for competitive conversations
- Check confidence levels before customer commitments
- Report feedback on claim accuracy
### For Documentation
- Link to this index for competitive statements
- Update cross-references when claims change
- Flag questionable claims to Docs Guild
---
## Execution Log
| Date | Update | Owner |
|------|--------|-------|
| 2025-12-14 | Initial claims index created | Docs Guild |
| 2025-12-14 | Added CVSS v2/v3 engine claims (CVSS-002) | AI Implementation |
| 2025-12-14 | Added EPSS integration claims (CVSS-004) | AI Implementation |
---
## References
- `docs/product-advisories/14-Dec-2025 - CVSS and Competitive Analysis Technical Reference.md`
- `docs/market/competitive-landscape.md`
- `docs/benchmarks/accuracy-metrics-framework.md`
Reference in New Issue View Git Blame Copy Permalink