stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
1995883476a039b09015e703dfd42d53cdb87c0a
git.stella-ops.org/docs/marketing/evidence-linked-vex.md
Vladimir Moushkov 1995883476
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add Decision Capsules, hybrid reachability, and evidence-linked VEX docs 
Introduces new marketing bridge documents for Decision Capsules, Hybrid Reachability, and Evidence-Linked VEX. Updates product vision, README, key features, moat, reachability, and VEX consensus docs to reflect four differentiating capabilities: signed reachability (hybrid static/runtime), deterministic replay, explainable policy with evidence-linked VEX, and sovereign/offline operation. All scan decisions are now described as sealed, reproducible, and audit-grade, with explicit handling of 'Unknown' states and hybrid reachability evidence.
2025-12-11 14:15:07 +02:00

229 lines
8.6 KiB
Markdown
Raw Blame History

# Evidence-Linked VEX — Proof-Backed Vulnerability Decisions
> Status: Marketing Bridge Document · December 2025
> Audience: Technical buyers, security architects, compliance teams
<!-- TODO: Review for separate approval - new marketing bridge doc -->
## Executive Summary
Stella Ops isn't just another scanner—it's a different product category: **deterministic, evidence-linked vulnerability decisions** that survive auditors, regulators, and supply-chain propagation.
**Evidence-Linked VEX** is how those decisions are structured: every vulnerability status assertion includes pointers to the underlying proof. Unlike traditional VEX that simply states "not_affected" without explanation, Stella Ops provides a complete evidence graph connecting the decision to its inputs.
**Key message**: "VEX you can prove."
---
## What is Evidence-Linked VEX?
Every VEX decision in Stella Ops links to an **evidence graph** containing:
| Evidence Type | Description | Link Format |
|---------------|-------------|-------------|
| **SBOM match** | Component identity confirmation | `sbom_hash`, `purl` |
| **Vuln snapshot** | Exact advisory data at decision time | `advisory_snapshot_id` |
| **Reachability proof** | Static/runtime analysis artifacts | `reach_decision_id`, `graph_hash` |
| **Runtime observation** | Process traces, method hits | `runtime_trace_id` |
| **Mitigation evidence** | WAF rules, config flags, patches | `mitigation_id` |
```
┌────────────────────────────────────────────────────────────┐
│ VEX Decision: NOT_AFFECTED │
├────────────────────────────────────────────────────────────┤
│ │
│ "CVE-2025-1234 does not affect pkg:nuget/Example@1.2.3" │
│ │
│ Evidence Graph: │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ SBOM Match │───▶│ Vuln Record │───▶│ Reach Proof │ │
│ │ sha256:abc │ │ nvd-snap-01 │ │ graph:xyz │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────┐ │
│ │ Runtime Obs │ │
│ │ trace:456 │ │
│ └─────────────┘ │
└────────────────────────────────────────────────────────────┘
```
---
## Why Evidence-Linked VEX Matters
### The Problem with Traditional VEX
Traditional VEX statements are **assertions without proof**:
```json
{
"vulnerability": "CVE-2025-1234",
"status": "not_affected",
"justification": "vulnerable_code_not_present"
}
```
Questions this doesn't answer:
- How do you know the vulnerable code isn't present?
- What analysis was performed?
- Can this decision be independently verified?
- What happens when the advisory changes?
### The Evidence-Linked Solution
Stella Ops VEX includes **proof pointers**:
```json
{
"vulnerability": "CVE-2025-1234",
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"evidence_refs": {
"sbom": "sha256:abc123...",
"advisory_snapshot": "nvd-2025-12-01",
"reachability": {
"decision_id": "reach:xyz789",
"graph_hash": "blake3:...",
"score": 22,
"state": "POSSIBLE"
},
"mitigations": ["mit:waf-rule-123"]
},
"replay_bundle": "capsule:2025-12-11-abc"
}
```
This enables:
- **Independent verification**: Anyone can follow the proof chain
- **Deterministic replay**: Re-run the exact analysis
- **Audit compliance**: Evidence meets regulatory requirements
---
## Explicit "Unknown" State Handling
A key differentiator: Stella Ops explicitly handles **incomplete data**.
| Traditional Approach | Stella Ops Approach |
|---------------------|---------------------|
| Binary: affected/not_affected | Three states: affected/not_affected/under_investigation |
| Missing data → assume safe | Missing data → mark "Unknown" |
| False negatives possible | Incomplete data surfaced explicitly |
**Why this matters**: Incomplete data never leads to false safety. If reachability analysis is inconclusive, the decision stays `under_investigation` until sufficient evidence is gathered.
---
## Competitive Differentiation
| Capability | Stella Ops | Competitors |
|------------|------------|-------------|
| **VEX output** | Evidence-linked with proof graph | Simple VEX statements |
| **Verification** | Independent proof chain verification | Trust the vendor |
| **Unknown handling** | Explicit `under_investigation` state | Binary yes/no |
| **Replay** | Bit-for-bit from Decision Capsules | Not possible |
**Battlecard one-liner**: "Competitors export VEX formats; Stella provides VEX you can prove."
---
## Evidence Graph Structure
### Full Evidence Chain
```
Component (PURL)
├──▶ SBOM Document
│ └── digest: sha256:...
├──▶ Vulnerability Record
│ ├── source: NVD
│ ├── snapshot_id: nvd-2025-12-01
│ └── digest: sha256:...
├──▶ Reachability Analysis
│ ├── static_graph: blake3:...
│ ├── runtime_traces: [trace:001, trace:002]
│ ├── score: 22 (POSSIBLE)
│ └── evidence: [edge:abc, edge:def]
├──▶ Mitigations
│ ├── waf_rule: rule:xyz
│ └── config_flag: flag:disabled
└──▶ Policy Decision
├── version: corp-policy@2025-12-01
├── digest: sha256:...
└── threshold: score < 25 → not_affected
```
### Evidence Types
| Evidence Kind | Confidence Impact | Source |
|---------------|-------------------|--------|
| `StaticCallEdge` | +30 base score | IL/bytecode analysis |
| `RuntimeMethodHit` | +60 base score | EventPipe/JFR |
| `UserInputSource` | +80 base score | Taint analysis |
| `WafRulePresent` | -20 mitigation | WAF connector |
| `PatchLevel` | -40 mitigation | Patch diff |
---
## VEX Propagation
Evidence-Linked VEX enables **scalable supply chain sharing**:
1. **Generate**: Create evidence-linked VEX from scan results
2. **Sign**: Apply DSSE signatures with your trust root
3. **Share**: Propagate to downstream consumers
4. **Verify**: Consumers verify independently using proof pointers
```bash
# Generate evidence-linked VEX
stella vex generate --scan scan-123 --format openvex --include-evidence
# Export for downstream
stella vex export --decisions "decision:abc123" --bundle evidence-bundle.tar
# Downstream verification
stella vex verify evidence-bundle.tar --trust-root downstream-ca
```
---
## Integration with Four Capabilities
Evidence-Linked VEX connects to the four capabilities:
1. **Signed Reachability** → Reachability proof in evidence graph
2. **Deterministic Replay** → Evidence reproducible via Decision Capsules
3. **Explainable Policy** → Policy version and thresholds traced
4. **Sovereign Offline** → Evidence verifiable without network
---
## Customer Scenarios
### Scenario 1: Vendor VEX Verification
"The vendor says this CVE doesn't affect us—can we trust it?"
→ Check their evidence graph; verify the reachability analysis matches your deployment.
### Scenario 2: Compliance Audit
"Prove this CVE was properly analyzed."
→ Show the evidence chain from SBOM → advisory → reachability → decision.
### Scenario 3: Supply Chain Propagation
"Pass our VEX decisions to downstream consumers."
→ Export evidence-linked VEX; consumers can independently verify.
---
## Related Documentation
- `docs/vex/consensus-overview.md` — VEX consensus engine
- `docs/reachability/lattice.md` — Reachability scoring model
- `docs/marketing/decision-capsules.md` — Decision Capsules overview
- `docs/marketing/hybrid-reachability.md` — Hybrid analysis
Reference in New Issue View Git Blame Copy Permalink