stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
4bdc298ec1fc821ee0d9dda6d2d4643dcedf6b35
git.stella-ops.org/docs/features/unchecked/tools/golden-pairs-mirror-and-diff-pipeline.md

2.9 KiB
Raw Blame History

Golden Pairs Mirror and Diff Pipeline

Module

Tools

Status

IMPLEMENTED

Description

Package mirror service to download pre/post-patch binary pairs from distro repos, and a diff pipeline service that runs section-hash diffing to produce golden diff reports for backport detection validation.

Implementation Details

  • Golden Pairs App: src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/GoldenPairsApp.cs -- CLI entry point for the golden pairs toolchain; orchestrates mirror downloads and diff pipeline execution.
  • Package Mirror Service: src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/PackageMirrorService.cs -- downloads pre-patch and post-patch binary packages from distribution repositories (Debian, RPM, Alpine) for known CVE fixes.
  • Diff Pipeline Service: src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/DiffPipelineService.cs -- runs section-hash diffing between pre/post-patch binaries, producing structured diff reports that serve as ground truth for backport detection validation.
  • Section Hash Provider: src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/SectionHashProvider.cs -- computes per-section hashes (e.g., .text, .rodata) for ELF/PE binaries to enable fine-grained diff comparison.
  • Golden Pair Loader: src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/GoldenPairLoader.cs -- loads golden pair metadata from the local store for comparison against new diff results.
  • Golden Pairs Schema Provider: src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Schema/GoldenPairsSchemaProvider.cs -- provides JSON schema definitions for golden pair metadata and diff report validation.
  • Golden Pairs Models: src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Models/ -- data models for golden pair records, diff reports, section hashes, and mirror source definitions.
  • Serialization: src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Serialization/ -- JSON serialization for golden pair data with canonical formatting for deterministic output.

E2E Test Plan

  • Run PackageMirrorService to download a known CVE fix pair (e.g., a Debian openssl patch), and verify both pre-patch and post-patch binaries are downloaded and stored with correct metadata
  • Run DiffPipelineService on a downloaded pair and verify the diff report identifies the changed sections (e.g., .text section modified, .rodata unchanged)
  • Run SectionHashProvider on a known binary and verify section hashes are deterministic across multiple runs
  • Load a golden pair via GoldenPairLoader, re-run the diff pipeline, and verify the new diff report matches the stored golden diff
  • Validate a diff report against the JSON schema from GoldenPairsSchemaProvider and verify it passes schema validation
  • Mirror a package pair, intentionally corrupt the post-patch binary, run the diff pipeline, and verify the diff report reflects the unexpected changes