stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57
git.stella-ops.org/docs/features/unchecked/attestor/rekor-entry-events-with-reanalysis-hints.md

2.5 KiB
Raw Blame History

Rekor Entry Events with Reanalysis Hints

Module

Attestor

Status

IMPLEMENTED

Description

Deterministic Rekor entry events (EntryLogged, EntryQueued, InclusionVerified, EntryFailed) with reanalysis hints (CVE IDs, product keys, artifact digests, scope) for policy reanalysis triggers.

Implementation Details

  • Rekor Entry Event: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Rekor/RekorEntryEvent.cs -- event model with type (EntryLogged, EntryQueued, InclusionVerified, EntryFailed), payload, and reanalysis hints (CVE IDs, product keys, artifact digests, scope).
  • Rekor Submission Response: Rekor/RekorSubmissionResponse.cs -- response from Rekor submission containing log index and entry UUID.
  • Rekor Receipt: Rekor/RekorReceipt.cs -- receipt from Rekor with verification data.
  • Rekor Proof Response: Rekor/RekorProofResponse.cs -- proof response with inclusion proof data.
  • Rekor Sync Background Service: Rekor/RekorSyncBackgroundService.cs -- background service that emits events during sync operations.
  • Checkpoint Divergence Detector: Rekor/CheckpointDivergenceDetector.cs -- detects checkpoint divergence and emits failure events.
  • Rekor Inclusion Verification Result: Rekor/RekorInclusionVerificationResult.cs -- result of verifying a Rekor entry's inclusion.
  • Queue: StellaOps.Attestor.Core/Queue/IRekorSubmissionQueue.cs -- queue for managing entry submissions with event emission.
  • Persistence: __Libraries/StellaOps.Attestor.Persistence/Entities/RekorEntryEntity.cs -- persisted Rekor entry with event history.
  • Tests: __Tests/StellaOps.Attestor.Core.Tests/RekorEntryEventTests.cs

E2E Test Plan

  • Submit an attestation to Rekor and verify an EntryLogged event is emitted with the log index
  • Queue a submission and verify an EntryQueued event is emitted before actual submission
  • Verify inclusion of a Rekor entry and confirm an InclusionVerified event is emitted
  • Simulate a submission failure and verify an EntryFailed event is emitted with error details
  • Verify reanalysis hints contain CVE IDs, product keys, and artifact digests from the submitted attestation
  • Verify the event scope field correctly narrows the reanalysis trigger (e.g., scope="component:openssl" only triggers reanalysis for openssl-related policies)
  • Verify RekorSyncBackgroundService emits events during sync operations (new entries found, checkpoint updates)
  • Persist events via RekorEntryEntity and verify event history is retrievable