stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57
git.stella-ops.org/docs/features/unchecked/attestor/vex-delta-evidence-and-tracking.md

2.8 KiB
Raw Blame History

VEX Delta Evidence and Tracking (Claim Transitions)

Module

Attestor

Status

IMPLEMENTED

Description

VEX delta predicates capturing per-CVE claim transitions (affected/not_affected/fixed) with merge traces and reason codes. Tracks changes in VEX statements between scans.

Implementation Details

  • VEX Delta Predicate: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexDeltaPredicate.cs -- top-level predicate for VEX delta attestations.
  • VEX Delta Change: Predicates/VexDeltaChange.cs -- individual per-CVE claim transition (e.g., affected -> not_affected) with reason code.
  • VEX Delta Statement: Predicates/VexDeltaStatement.cs -- statement describing the claim transition details.
  • VEX Delta Summary: Predicates/VexDeltaSummary.cs -- aggregate summary of VEX delta changes (added, removed, status_changed counts).
  • VEX Merge Trace: Predicates/VexMergeTrace.cs -- trace of how VEX sources were merged, explaining conflict resolution and priority ordering.
  • VEX Document Reference: Predicates/VexDocumentReference.cs -- reference to the VEX document that was the source of the change.
  • VEX Status Counts: Predicates/VexStatusCounts.cs -- before and after status counts for delta comparison.
  • Change Trace Attestation Service: ChangeTrace/ChangeTraceAttestationService.cs (with .Helpers, .Mapping) -- generates change trace attestations including VEX delta entries.
  • Change Trace Delta Entry: Predicates/ChangeTraceDeltaEntry.cs -- entry in the broader change trace capturing a VEX delta event.
  • Change Trace Predicate Summary: Predicates/ChangeTracePredicateSummary.cs -- summary of all change trace predicates including VEX deltas.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/

E2E Test Plan

  • Create a VexDeltaPredicate tracking a CVE transition from affected to not_affected with justification code; verify the change is captured
  • Create a delta with multiple transitions (3 CVEs changing status) and verify VexDeltaSummary reports correct counts
  • Verify merge trace: create a delta resulting from merging two VEX sources and verify VexMergeTrace explains which source took priority
  • Track a fixed -> affected regression and verify VexDeltaChange captures the regression with reason code
  • Generate a change trace attestation via ChangeTraceAttestationService with VEX deltas and verify the attestation includes delta entries
  • Verify VexStatusCounts before and after: verify counts shift correctly when statuses change
  • Create a delta where a VEX document is removed entirely and verify all its claims appear as removed in the delta
  • Verify VexDeltaStatement details include the source VEX document reference via VexDocumentReference