stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
415eff120750beea9b423770cd59f0d7772e794e
git.stella-ops.org/bench
History
master b55d9fa68d
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Add comprehensive security tests for OWASP A03 (Injection) and A10 (SSRF) 
- Implemented InjectionTests.cs to cover various injection vulnerabilities including SQL, NoSQL, Command, LDAP, and XPath injections.
- Created SsrfTests.cs to test for Server-Side Request Forgery (SSRF) vulnerabilities, including internal URL access, cloud metadata access, and URL allowlist bypass attempts.
- Introduced MaliciousPayloads.cs to store a collection of malicious payloads for testing various security vulnerabilities.
- Added SecurityAssertions.cs for common security-specific assertion helpers.
- Established SecurityTestBase.cs as a base class for security tests, providing common infrastructure and mocking utilities.
- Configured the test project StellaOps.Security.Tests.csproj with necessary dependencies for testing.
2025-12-16 13:11:57 +02:00
..
baselines
Add comprehensive security tests for OWASP A03 (Injection) and A10 (SSRF)
2025-12-16 13:11:57 +02:00
findings
up
2025-12-14 15:50:38 +02:00
reachability-benchmark
up
2025-12-09 09:40:36 +02:00
results
up
2025-12-14 15:50:38 +02:00
tools
up
2025-12-14 15:50:38 +02:00
README.md
up
2025-12-13 09:37:15 +02:00

README.md

Stella Ops Bench Repository

Status: Active · Last updated: 2025-12-13 Purpose: Host reproducible VEX decisions, reachability evidence, and comparison data proving Stella Ops' signal quality vs. baseline scanners.

Layout

bench/
  README.md                 # this file
  findings/                 # per CVE/product bundles
    CVE-YYYY-NNNNN/
      evidence/
        reachability.json   # richgraph-v1 excerpt
        sbom.cdx.json       # CycloneDX SBOM
      decision.openvex.json # OpenVEX decision
      decision.dsse.json    # DSSE envelope
      rekor.txt             # Rekor log index + inclusion proof
      metadata.json         # finding metadata (purl, CVE, version)
  tools/
    verify.sh               # DSSE + Rekor verifier (online)
    verify.py               # offline verifier
    compare.py              # baseline comparison script
    replay.sh               # runs reachability replay manifests
  results/
    summary.csv             # aggregated metrics
    runs/<date>/...         # raw outputs + replay manifests
  reachability-benchmark/   # reachability benchmark with JDK fixtures

Related Documentation

Document Purpose
VEX Evidence Playbook Proof bundle schema, justification catalog, verification workflow
Hybrid Attestation Graph-level and edge-bundle DSSE decisions
Function-Level Evidence Cross-module evidence chain guide
Deterministic Replay Replay manifest specification

Verification Workflows

Quick Verification (Online)

# Verify a VEX proof bundle with DSSE and Rekor
./tools/verify.sh findings/CVE-2021-44228/decision.dsse.json

# Output:
# ✓ DSSE signature valid
# ✓ Rekor inclusion verified (log index: 12345678)
# ✓ Evidence hashes match
# ✓ Justification catalog membership confirmed

Offline Verification

# Verify without network access
python tools/verify.py \
  --bundle findings/CVE-2021-44228/decision.dsse.json \
  --cas-root ./findings/CVE-2021-44228/evidence/ \
  --catalog ../docs/benchmarks/vex-justifications.catalog.json

# Or use the VEX proof bundle verifier
python ../scripts/vex/verify_proof_bundle.py \
  --bundle ../tests/Vex/ProofBundles/sample-proof-bundle.json \
  --cas-root ../tests/Vex/ProofBundles/cas/

Reachability Graph Verification

# Verify graph DSSE
stella graph verify --hash blake3:a1b2c3d4...

# Verify with edge bundles
stella graph verify --hash blake3:a1b2c3d4... --include-bundles

# Offline with local CAS
stella graph verify --hash blake3:a1b2c3d4... --cas-root ./offline-cas/

Baseline Comparison

# Compare Stella Ops findings against baseline scanners
python tools/compare.py \
  --stellaops results/runs/2025-12-13/findings.json \
  --baseline results/baselines/trivy-latest.json \
  --output results/comparison-2025-12-13.csv

# Metrics generated:
# - True positives (reachability-confirmed)
# - False positives (unreachable code paths)
# - MTTD (mean time to detect)
# - Reproducibility score

Artifact Contracts

All bench artifacts must comply with:

  1. VEX Proof Bundle Schema (docs/benchmarks/vex-evidence-playbook.schema.json)

    • BLAKE3-256 primary hash, SHA-256 secondary
    • Canonical JSON with sorted keys
    • DSSE envelope with Rekor-ready digest

  2. Justification Catalog (docs/benchmarks/vex-justifications.catalog.json)

    • VEX1-VEX10 justification codes
    • Required evidence types per justification
    • Expiry and re-evaluation rules

  3. Reachability Graph (docs/contracts/richgraph-v1.md)

    • BLAKE3 graph_hash for content addressing
    • Deterministic node/edge ordering
    • SymbolID/EdgeID format compliance

CI Integration

The bench directory is validated by:

  • .gitea/workflows/vex-proof-bundles.yml - Verifies all proof bundles
  • .gitea/workflows/bench-determinism.yml - Runs determinism benchmarks
  • .gitea/workflows/hybrid-attestation.yml - Verifies graph/edge-bundle fixtures

Contributing

  1. Add new findings under findings/CVE-YYYY-NNNNN/
  2. Include all required evidence artifacts
  3. Generate DSSE envelope and Rekor proof
  4. Update results/summary.csv
  5. Run verification: ./tools/verify.sh findings/CVE-YYYY-NNNNN/decision.dsse.json