45 lines
2.9 KiB
Markdown
45 lines
2.9 KiB
Markdown
# Suppression Witness Proof Model (DSSE-Signable Not-Affected Evidence)
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
A DSSE-signable proof model documenting why a vulnerability is NOT exploitable (unreachable code, linker GC, feature flag off, patched symbol, gate blocked, etc.). Complements PathWitness which documents why code IS reachable. Includes 10 suppression types and content-addressed witness IDs.
|
|
|
|
## Implementation Details
|
|
- **Suppression Witness Model**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitness.cs` - `SuppressionWitness` model with 10 suppression types (unreachable code, linker GC, feature flag off, patched symbol, gate blocked, etc.) and content-addressed witness IDs
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitnessSchema.cs` - JSON schema definition for suppression witness validation
|
|
- **Builder**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitnessBuilder.cs` - `SuppressionWitnessBuilder` constructing suppression witnesses with evidence chains and suppression type classification
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ISuppressionWitnessBuilder.cs` - Interface for suppression witness construction
|
|
- **DSSE Signing**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionDsseSigner.cs` - `SuppressionDsseSigner` signing suppression witnesses using DSSE envelopes
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ISuppressionDsseSigner.cs` - Interface for suppression DSSE signing
|
|
- **Content-Addressed IDs**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ClaimIdGenerator.cs` - `ClaimIdGenerator` generating deterministic, content-addressed witness IDs
|
|
- **DI Registration**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitnessServiceCollectionExtensions.cs` - DI registration for suppression witness services
|
|
|
|
## E2E Test Plan
|
|
- [ ] Create a suppression witness for an unreachable code path and verify the witness includes the suppression type "UnreachableCode" with evidence
|
|
- [ ] Create a suppression witness for linker GC (dead code elimination) and verify it documents the eliminated symbols
|
|
- [ ] Sign a suppression witness with DSSE and verify the envelope validates against the suppression witness schema
|
|
- [ ] Verify content-addressed witness IDs are deterministic (same evidence produces identical IDs)
|
|
- [ ] Verify suppression witnesses complement PathWitnesses by providing the inverse proof (not-affected vs. affected)
|
|
- [ ] Verify all 10 suppression types can be constructed and signed correctly
|
|
|
|
---
|
|
|
|
## Verification
|
|
|
|
| Check | Result |
|
|
|-------|--------|
|
|
| Tier 0 - Source files exist | PASS |
|
|
| Tier 1 - Build + code review | PASS |
|
|
| Tier 2 - Integration tests | PASS |
|
|
| Verified | 2026-02-13T18:10:00Z |
|