4.2 KiB
4.2 KiB
Verdict Bundle Builder (Scoring + Signing + Rekor Anchoring)
Module
__Libraries
Status
IMPLEMENTED
Description
End-to-end verdict bundle pipeline: scoring from EWS (Evidence-Weighted Score) results, input extraction, normalization tracing, gate evaluation, content-addressed bundle digest, DSSE signing, and Rekor transparency log anchoring with inclusion proof verification. Integrates scoring manifest versioning, VEX-aware overrides, and per-environment gate configuration.
Implementation Details
- VerdictBundleBuilder:
src/__Libraries/StellaOps.DeltaVerdict/Bundles/VerdictBundleBuilder.cs-- implementsIVerdictBundleBuilder; constructor takesIGateEvaluator,TimeProvider,IScoringManifestProvider;Build(ewsResult, input, policy, gateConfig)orchestrates:ExtractInputs(from EWS input),CreateNormalizationTrace(from EWS result),GetManifestRef(scoring manifest reference),CalculateRawScore,GetVerdictOverride(VEX overrides), gate evaluation viaIGateEvaluator.Evaluate,ComputeBundleDigest(SHA-256 of canonical JSON); multi-partial:.Score.cs(score calculation),.Normalization.cs(normalization trace),.Digest.cs(content-addressed digest),.Extract.cs(input extraction),.Manifest.cs(manifest binding),.Override.cs(VEX override),.Projections.cs/.Projections.Details.cs(result projections) - IVerdictBundleBuilder:
src/__Libraries/StellaOps.DeltaVerdict/Bundles/IVerdictBundleBuilder.cs-- interface:Build(ewsResult, input, policy, gateConfig)andBuild(ewsResult, input, policy)(default gate config) - VerdictBundle:
src/__Libraries/StellaOps.DeltaVerdict/Bundles/VerdictBundle.cs-- sealed partial record:BundleId(content-addressed sha256:...),SchemaVersion,FindingId(CVE@PURL),ManifestRef(ScoringManifestRef),Inputs(VerdictInputs),Normalization(NormalizationTrace),RawScore(double),FinalScore(double, clamped 0-1),Override(VerdictOverride?),Gate(GateDecision),ComputedAt(DateTimeOffset),BundleDigest(SHA-256),DsseSignature(DSSE envelope); multi-partial:.Rekor.cs(Rekor anchoring fields) - VerdictSigningService:
src/__Libraries/StellaOps.DeltaVerdict/Bundles/VerdictSigningService.cs-- multi-partial:.Sign.cs(DSSE signing),.Verify.cs(signature verification),.Canonical.cs(canonical JSON for signing),.Envelope.cs(DSSE envelope construction),.Projections.cs/.Projections.Extensions.cs(projection helpers) - VerdictRekorAnchorService:
src/__Libraries/StellaOps.DeltaVerdict/Bundles/VerdictRekorAnchorService.cs-- multi-partial:.Anchor.cs(submit to Rekor),.Verify.cs(verify anchoring),.InclusionProof.cs(Merkle inclusion proof verification),.Helpers.cs;VerdictAnchorResult,VerdictAnchorVerificationResult - Scoring Manifest:
src/__Libraries/StellaOps.DeltaVerdict/Manifest/ScoringManifest.cs-- manifest model withScoringWeights,ScoringNormalizers;ScoringManifestVersionermulti-partial:.Bump.cs,.Compare.cs/.Compare.Helpers.cs,.Versioning.csfor semantic versioning of manifest changes - Delta Computation:
src/__Libraries/StellaOps.DeltaVerdict/Engine/DeltaComputationEngine.cs-- multi-partial:.Components.cs,.ChangedComponents.cs,.Vulnerabilities.cs,.Risk.cs;IDeltaComputationEngineinterface - Signing Infrastructure:
src/__Libraries/StellaOps.DeltaVerdict/Signing/--DeltaSigningService,ScoringManifestSigningService,ScoringManifestRekorAnchorServicewith full DSSE envelope, Rekor submission, and verification - Source: Feature matrix scan
E2E Test Plan
- Verify VerdictBundleBuilder.Build produces content-addressed BundleId (sha256:...)
- Test BundleDigest is deterministic for same EWS result and policy inputs
- Verify gate evaluation integrates with GateEvaluator for allow/warn/block decisions
- Test VerdictSigningService produces valid DSSE signatures on verdict bundles
- Verify VerdictRekorAnchorService submits to Rekor and retrieves inclusion proof
- Test Rekor inclusion proof verification detects tampered entries
- Verify ScoringManifestVersioner bumps versions correctly for manifest changes
- Test VEX override correctly modifies final score when not_affected VEX status applies