7503c19b8f
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering. - Created helper methods for generating sample verdict inputs and computing canonical hashes. - Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics. - Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
1.3 KiB
1.3 KiB
VEX Consensus Algorithm (Deterministic)
This document describes the consensus computation at a high level. It is not an API contract; see docs/vex/consensus-json.md and docs/vex/consensus-api.md for payload and endpoint details.
Inputs
- Normalized VEX tuples (status, justification, scope, timestamp, source digest)
- Issuer trust registry (tiers, weights, verification state)
- Optional policy precedence rules for how to treat conflicts
Grouping and Ordering
- Group tuples by correlation key (typically
(artifactId/productKey, vulnerabilityId)per tenant). - Apply a stable sort for evaluation, commonly:
- Most recent statement first (timestamp)
- Higher trust tier/weight first
- Higher verification confidence first
Ordering must be deterministic for identical inputs.
Lattice Join
Consensus uses a lattice-style join to avoid false safety:
- Model states with an explicit uncertainty ordering (e.g.,
unknownandunder_investigationremain meaningful outcomes). - Preserve conflicts when competing issuers disagree at comparable precedence.
The output includes:
- Effective status
- Confidence/weight summary
- References to source statements (digests)
- Conflict list (who disagrees and how)
References
docs/modules/vex-lens/architecture.md