stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57
git.stella-ops.org/docs/features/unchecked/attestor/backport-proof-service.md

2.4 KiB
Raw Blame History

Backport Proof Service

Module

Attestor

Status

IMPLEMENTED

Description

BackportProof library in Concelier and multi-tier BackportProofGenerator in Attestor with confidence scoring, evidence combining, and tier-based proof generation (Tier 1 through 4 plus signature variants).

Implementation Details

  • BackportProofGenerator: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.cs -- orchestrates multi-tier backport proof generation. Partials:
    • BackportProofGenerator.Tier1.cs -- Tier 1: exact version match proofs
    • BackportProofGenerator.Tier2.cs -- Tier 2: advisory-level evidence
    • BackportProofGenerator.Tier3.cs -- Tier 3: heuristic/pattern matching
    • BackportProofGenerator.Tier3Signature.cs -- Tier 3 signature variant with binary signature comparison
    • BackportProofGenerator.Tier4.cs -- Tier 4: lowest confidence, inference-based
    • BackportProofGenerator.Confidence.cs -- confidence scoring across tiers using proof-strength hierarchy
    • BackportProofGenerator.CombineEvidence.cs -- evidence aggregation from multiple tiers
    • BackportProofGenerator.Status.cs -- status tracking for proof generation progress
    • BackportProofGenerator.VulnerableUnknown.cs -- handling of unknown vulnerability status
  • Evidence Summary: EvidenceSummary.cs -- aggregated evidence output from proof generation.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/BackportProofGeneratorTests.cs

E2E Test Plan

  • Generate a Tier 1 proof for a package with exact version match in advisory data and verify high confidence score (>= 0.9)
  • Generate a Tier 2 proof using advisory-level evidence (CVE matches package family) and verify moderate confidence score
  • Generate a Tier 3 proof using binary signature comparison and verify it includes signature match details
  • Generate a Tier 4 inference-based proof and verify it has the lowest confidence score among all tiers
  • Combine evidence from Tier 1 and Tier 2 via CombineEvidence and verify the combined confidence is higher than either individual tier
  • Generate a proof for a package with VulnerableUnknown status and verify the generator handles it with appropriate uncertainty indicators
  • Verify EvidenceSummary output contains entries from all applicable tiers with per-tier confidence scores
  • Generate proofs for the same package twice and verify deterministic output (same confidence scores and evidence)