82 lines
2.6 KiB
C#
82 lines
2.6 KiB
C#
using StellaOps.Replay.Core;
|
|
|
|
namespace StellaOps.Scanner.ProofSpine;
|
|
|
|
/// <summary>
|
|
/// Represents a complete verifiable decision chain from SBOM to VEX verdict.
|
|
/// </summary>
|
|
/// <param name="SpineId">Content-addressed ID of this proof spine.</param>
|
|
/// <param name="ArtifactId">The artifact (container image, package) this spine evaluates.</param>
|
|
/// <param name="VulnerabilityId">The vulnerability ID being evaluated.</param>
|
|
/// <param name="PolicyProfileId">The policy profile used for evaluation.</param>
|
|
/// <param name="Segments">Ordered list of evidence segments in the proof chain.</param>
|
|
/// <param name="Verdict">Final verdict (affected, not_affected, fixed, under_investigation).</param>
|
|
/// <param name="VerdictReason">Human-readable explanation of the verdict.</param>
|
|
/// <param name="RootHash">Merkle root hash of all segment hashes.</param>
|
|
/// <param name="ScanRunId">ID of the scan run that produced this spine.</param>
|
|
/// <param name="CreatedAt">When this spine was created.</param>
|
|
/// <param name="SupersededBySpineId">If superseded, the ID of the newer spine.</param>
|
|
/// <param name="GraphRootAttestationId">Optional: Content-addressed ID of the graph root attestation.</param>
|
|
/// <param name="GraphRootEnvelope">Optional: DSSE envelope containing the graph root attestation.</param>
|
|
public sealed record ProofSpine(
|
|
string SpineId,
|
|
string ArtifactId,
|
|
string VulnerabilityId,
|
|
string PolicyProfileId,
|
|
IReadOnlyList<ProofSegment> Segments,
|
|
string Verdict,
|
|
string VerdictReason,
|
|
string RootHash,
|
|
string ScanRunId,
|
|
DateTimeOffset CreatedAt,
|
|
string? SupersededBySpineId,
|
|
string? GraphRootAttestationId = null,
|
|
DsseEnvelope? GraphRootEnvelope = null);
|
|
|
|
/// <summary>
|
|
/// A single evidence segment in the proof chain.
|
|
/// </summary>
|
|
public sealed record ProofSegment(
|
|
string SegmentId,
|
|
ProofSegmentType SegmentType,
|
|
int Index,
|
|
string InputHash,
|
|
string ResultHash,
|
|
string? PrevSegmentHash,
|
|
DsseEnvelope Envelope,
|
|
string ToolId,
|
|
string ToolVersion,
|
|
ProofSegmentStatus Status,
|
|
DateTimeOffset CreatedAt);
|
|
|
|
public sealed record GuardCondition(
|
|
string Name,
|
|
string Type,
|
|
string Value,
|
|
bool Passed);
|
|
|
|
/// <summary>
|
|
/// Segment types in execution order.
|
|
/// </summary>
|
|
public enum ProofSegmentType
|
|
{
|
|
SbomSlice = 1,
|
|
Match = 2,
|
|
Reachability = 3,
|
|
GuardAnalysis = 4,
|
|
RuntimeObservation = 5,
|
|
PolicyEval = 6
|
|
}
|
|
|
|
/// <summary>
|
|
/// Verification status of a segment.
|
|
/// </summary>
|
|
public enum ProofSegmentStatus
|
|
{
|
|
Pending = 0,
|
|
Verified = 1,
|
|
Partial = 2,
|
|
Invalid = 3,
|
|
Untrusted = 4
|
|
}
|