2170a58734
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management. - Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management. - Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support. - Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.
55 lines
1.6 KiB
JSON
55 lines
1.6 KiB
JSON
{
|
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
"$id": "https://stella-ops.org/schemas/cdx-vex.stella/v1.json",
|
|
"title": "VEX Verdict Predicate Schema",
|
|
"description": "Schema for cdx-vex.stella/v1 predicate type - VEX verdict with provenance",
|
|
"type": "object",
|
|
"required": [
|
|
"sbomEntryId",
|
|
"vulnerabilityId",
|
|
"status",
|
|
"justification",
|
|
"policyVersion",
|
|
"reasoningId",
|
|
"vexVerdictId"
|
|
],
|
|
"properties": {
|
|
"sbomEntryId": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}:pkg:.+",
|
|
"description": "The SBOM entry ID this verdict applies to"
|
|
},
|
|
"vulnerabilityId": {
|
|
"type": "string",
|
|
"pattern": "^(CVE-[0-9]{4}-[0-9]+|GHSA-.+)$",
|
|
"description": "The vulnerability ID (CVE, GHSA, etc.)"
|
|
},
|
|
"status": {
|
|
"type": "string",
|
|
"enum": ["not_affected", "affected", "fixed", "under_investigation"],
|
|
"description": "VEX status"
|
|
},
|
|
"justification": {
|
|
"type": "string",
|
|
"minLength": 1,
|
|
"description": "Justification for the VEX status"
|
|
},
|
|
"policyVersion": {
|
|
"type": "string",
|
|
"pattern": "^v[0-9]+\\.[0-9]+\\.[0-9]+$",
|
|
"description": "Version of the policy used"
|
|
},
|
|
"reasoningId": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$",
|
|
"description": "Reference to the reasoning that led to this verdict"
|
|
},
|
|
"vexVerdictId": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$",
|
|
"description": "Content-addressed ID of this VEX verdict"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
}
|