stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
4bdc298ec1fc821ee0d9dda6d2d4643dcedf6b35
git.stella-ops.org/docs/features/unchecked/binaryindex/cross-distro-golden-set-for-backport-validation.md

2.3 KiB
Raw Blame History

Cross-Distro Golden Set for Backport Validation

Module

BinaryIndex

Status

IMPLEMENTED

Description

Golden set infrastructure exists in BinaryIndex with analysis pipeline and API. The advisory's detailed curated test cases (OpenSSL Heartbleed, sudo Baron Samedit, etc.) and specific database schema may not be fully populated yet.

What's Implemented

  • Golden Set Infrastructure: src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/ - full authoring, validation, storage, serialization
    • GoldenSetExtractor, NvdGoldenSetExtractor - extraction from NVD data
    • GoldenSetEnrichmentService - enriches golden sets with function hints
    • GoldenSetValidator, ICveValidator - validation pipeline
    • PostgresGoldenSetStore - PostgreSQL storage
    • GoldenSetYamlSerializer - YAML serialization
  • Analysis Pipeline: GoldenSetAnalysisPipeline (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/) - runs analysis against golden set definitions
  • API Controller: GoldenSetController (src/BinaryIndex/StellaOps.BinaryIndex.WebService/Controllers/) - CRUD and listing endpoints
  • Corpus Connectors: Alpine (AlpineCorpusConnector), Debian (DebianCorpusConnector), RPM (RpmCorpusConnector) for cross-distro support
  • Validation Harness: ValidationHarness and ValidationHarnessService for running golden set tests

What's Missing

  • Curated cross-distro test cases for high-impact CVEs (OpenSSL Heartbleed CVE-2014-0160, sudo Baron Samedit CVE-2021-3156, etc.) may not be fully populated in the golden set database
  • Cross-distro coverage matrix (Alpine vs Debian vs RHEL backport variations for same CVE) may need population
  • Automated golden set population pipeline from NVD for new CVEs

Implementation Plan

  • Populate golden set database with curated cross-distro test cases for high-impact CVEs
  • Validate backport detection accuracy across Alpine, Debian, and RHEL for each curated CVE
  • Build automated pipeline to generate cross-distro golden set entries from NVD advisories
  • Add cross-distro regression test suite using existing ValidationHarness infrastructure

Related Documentation

  • Golden set schema: src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/Models/GoldenSetDefinition.cs
  • Authoring workflow: src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/Authoring/