stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
3ba7157b00e8b08defbcdb810d023038ec0f8bc7
git.stella-ops.org/etc/trust-lattice.yaml.sample

73 lines
3.3 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Trust Lattice Configuration for VEX Source Scoring
# This file defines the default trust vectors and weights for evaluating VEX sources
# Default trust weights for combining P/C/R components
# These weights are used when computing the base trust score
# Formula: BaseTrust = (wP × P) + (wC × C) + (wR × R)
defaultWeights:
provenance: 0.45 # Weight for provenance score (crypto & process integrity)
coverage: 0.35 # Weight for coverage score (scope match precision)
replayability: 0.20 # Weight for replayability score (determinism & pinning)
# Default trust vectors for source classifications
# These are fallback values when a source doesn't have explicit configuration
defaultVectors:
# Vendor-published VEX statements (e.g., Red Hat, Oracle, Microsoft)
vendor:
provenance: 0.90 # High - official vendor channels with signing
coverage: 0.85 # High - vendor knows their own products
replayability: 0.70 # Medium-High - usually versioned but may lack pinning
# Distribution-published VEX (e.g., Ubuntu, Debian, Alpine)
distro:
provenance: 0.85 # High - official distro channels
coverage: 0.90 # Very High - distros track OS packages precisely
replayability: 0.75 # Medium-High - pinned to distro versions
# Third-party aggregators/hubs (e.g., SUSE Rancher VEX Hub)
hub:
provenance: 0.75 # Medium-High - depends on hub's verification process
coverage: 0.70 # Medium - may aggregate from various sources
replayability: 0.60 # Medium - varies by hub's data model
# Platform-specific VEX (e.g., OCI attestations, cloud provider advisories)
platform:
provenance: 0.80 # Medium-High - platform signing available
coverage: 0.75 # Medium-High - platform-aware matching
replayability: 0.65 # Medium - depends on platform's commitment
# User-supplied/internal VEX statements
internal:
provenance: 0.70 # Medium - internal PKI or unsigned
coverage: 0.95 # Very High - organization knows its own environment
replayability: 0.85 # High - controlled by organization
# Claim strength multipliers
# These adjust the base trust score based on claim metadata
claimStrength:
high: 1.0 # Full trust (e.g., cryptographic proof, reachability analysis)
medium: 0.9 # Slightly reduced (e.g., heuristic evidence, manual analysis)
low: 0.75 # Significantly reduced (e.g., speculation, incomplete data)
unspecified: 0.8 # Conservative default when strength not provided
# Freshness decay configuration
# Older VEX claims are less trustworthy than recent ones
freshnessDecay:
enabled: true
halfLifeDays: 90 # Freshness drops to 50% after this many days
minimumFreshness: 0.5 # Floor to prevent complete dismissal of old claims
# Override: Never apply freshness decay to certain statuses
# These statuses are considered "timeless" facts
exemptStatuses:
- fixed # Fix remains valid
- notAffected # Not-affected is structural, doesn't decay
# Environment variable overrides
# These can be set to override file-based configuration at runtime
# STELLAOPS_TRUST_LATTICE_DEFAULT_WP=0.45
# STELLAOPS_TRUST_LATTICE_DEFAULT_WC=0.35
# STELLAOPS_TRUST_LATTICE_DEFAULT_WR=0.20
# STELLAOPS_TRUST_LATTICE_FRESHNESS_HALFLIFE_DAYS=90
Reference in New Issue View Git Blame Copy Permalink