stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57
git.stella-ops.org/docs/features/unchecked/attestor/vex-override-predicate-system.md

2.9 KiB
Raw Blame History

VEX Override Predicate System (Signed Justifications with Proofs)

Module

Attestor

Status

IMPLEMENTED

Description

Full VEX override predicate system with builder, parser, serialization, validation, decision models, evidence references, and tool info. Supports "not_affected" claims with structured proof bundles and signed justifications.

Implementation Details

  • VEX Override Predicate: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicate.cs -- data model for VEX override predicates containing decision, justification, evidence, and tool metadata.
  • VEX Override Decision: VexOverride/VexOverrideDecision.cs -- decision model with status (not_affected, affected, fixed), justification text, approver identity, and decision timestamp.
  • VEX Override Predicate Builder: VexOverride/VexOverridePredicateBuilder.cs (with .Build, .Serialize, .WithMethods) -- fluent builder: .WithStatus(), .WithJustification(), .WithEvidence(), .WithToolInfo(). .Build finalizes the predicate, .Serialize produces canonical JSON.
  • VEX Override Predicate Parser: VexOverride/VexOverridePredicateParser.cs (with .DecisionValidation, .ExtractMetadata, .FieldValidation, .Helpers, .ParsePredicate, .Validation) -- comprehensive parser with multi-layer validation: .ParsePredicate extracts the predicate, .DecisionValidation validates decision semantics, .FieldValidation validates required fields, .ExtractMetadata extracts metadata.
  • Evidence Reference: VexOverride/EvidenceReference.cs -- reference to supporting evidence (type, URI, digest, description).
  • Tool Info: VexOverride/ToolInfo.cs -- information about the tool/human that authored the override (name, version, vendor).
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/VexOverride/

E2E Test Plan

  • Build a VEX override via VexOverridePredicateBuilder.WithStatus("not_affected").WithJustification("Vulnerable function not in call path").WithEvidence(ref).Build() and verify the predicate is complete
  • Serialize the predicate via .Serialize and verify canonical JSON output
  • Parse the serialized JSON via VexOverridePredicateParser.ParsePredicate and verify round-trip fidelity for all fields
  • Validate decision semantics: create a not_affected override without justification and verify .DecisionValidation rejects it
  • Validate field completeness: create a predicate missing the tool info and verify .FieldValidation reports the missing field
  • Create an override with 3 evidence references (scan report, backport proof, manual review) and verify all are serialized/parsed
  • Build an override with status="fixed" and verify no justification is required (fixed status does not require justification)
  • Parse a malformed VEX override (invalid JSON) and verify the parser returns structured errors via .Validation