52 lines
3.5 KiB
Markdown
52 lines
3.5 KiB
Markdown
# Deterministic SBOM-to-VEX Pipeline with Signed State Transitions
|
|
|
|
## Module
|
|
Policy
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Full verdict pipeline determinism tests, SBOM determinism validation, determinism gate infrastructure, baseline store, and manifest writer for verifying byte-identical outputs from identical inputs.
|
|
|
|
## Implementation Details
|
|
- **Determinization Gate**: `src/Policy/StellaOps.Policy.Engine/Gates/Determinization/DeterminizationGate.cs` -- determinization gate implementation
|
|
- `ISignalSnapshotBuilder` interface for building signal snapshots
|
|
- `SignalSnapshotBuilder.cs` -- builds signal snapshots for deterministic evaluation
|
|
- `DeterminizationGateMetrics.cs` -- metrics tracking for determinization gates
|
|
- **Determinism Guard Service**: `src/Policy/StellaOps.Policy.Engine/DeterminismGuard/DeterminismGuardService.cs`
|
|
- Static analysis via `ProhibitedPatternAnalyzer` detects non-deterministic patterns
|
|
- Runtime monitoring via `RuntimeDeterminismMonitor`
|
|
- `GuardedPolicyEvaluator` wraps evaluation with pre/post determinism checks
|
|
- **Determinization Library**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/`
|
|
- `DeterminizationOptions.cs` -- configuration for determinization behavior
|
|
- `IDeterminizationConfigStore.cs` -- persisted configuration for reanalysis rules
|
|
- `Evidence/` -- evidence models for determinization decisions
|
|
- `Models/` -- determinization data models
|
|
- `Scoring/` -- scoring models for determinization
|
|
- **Knowledge Snapshot Pipeline**: `src/Policy/__Libraries/StellaOps.Policy/Snapshots/`
|
|
- `KnowledgeSnapshotManifest.cs` -- pins all inputs (SBOM, feeds, policy) via digests
|
|
- `SnapshotAwarePolicyEvaluator.cs` -- evaluates against frozen snapshot state
|
|
- `SnapshotIdGenerator.cs` -- content-addressed snapshot IDs
|
|
- **VEX State Transitions**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
|
|
- Validates VEX status transitions (not_affected, affected, under_investigation, fixed)
|
|
- Requires DSSE-attested graphHash and path analysis for not_affected transitions
|
|
- **Attestation Services**: `src/Policy/StellaOps.Policy.Engine/Attestation/`
|
|
- `VerdictAttestationService.cs` -- signs verdict decisions with DSSE
|
|
- `PolicyDecisionAttestationService.cs` -- signs policy decisions
|
|
- `ScoringDeterminismVerifier.cs` -- verifies scoring determinism
|
|
- **Determinism Verification Endpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/VerifyDeterminismEndpoints.cs`
|
|
- **Determinization Config Endpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/DeterminizationConfigEndpoints.cs`
|
|
|
|
## E2E Test Plan
|
|
- [ ] Run verdict pipeline twice with identical SBOM and advisory inputs; verify byte-identical output digests
|
|
- [ ] Build signal snapshot using SignalSnapshotBuilder; verify snapshot captures all evaluation signals
|
|
- [ ] Run determinism guard analysis on evaluation code; verify no prohibited patterns detected
|
|
- [ ] Modify SBOM input and re-run pipeline; verify output digest changes
|
|
- [ ] Verify VEX state transition from under_investigation to not_affected requires graphHash and pathAnalysis evidence
|
|
- [ ] Sign verdict with VerdictAttestationService; verify DSSE envelope is valid
|
|
- [ ] Verify ScoringDeterminismVerifier detects scoring drift when weights change
|
|
- [ ] POST to determinization config endpoint; verify configuration is persisted and retrievable
|
|
- [ ] Run determinization gate with signal snapshot; verify gate uses snapshot signals not live data
|
|
- [ ] Verify knowledge snapshot manifest contains content-addressed IDs for all input sources
|