stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
4bdc298ec1fc821ee0d9dda6d2d4643dcedf6b35
git.stella-ops.org/docs/features/unchecked/tools/golden-pairs-validation-infrastructure.md

2.4 KiB
Raw Blame History

Golden Pairs Validation Infrastructure

Module

Tools

Status

IMPLEMENTED

Description

Data model for golden pair metadata, binary artifacts, and diff reports used to validate binary diff detection against known-good CVE fix pairs.

Implementation Details

  • Golden Pairs Models: src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Models/ -- data models defining golden pair records (CVE ID, package name, distro, pre/post versions), binary artifact metadata (section hashes, file sizes, architectures), and diff report structures (changed sections, confidence scores).
  • Golden Pairs Schema Provider: src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Schema/GoldenPairsSchemaProvider.cs -- provides JSON schema definitions for validating golden pair metadata files, diff reports, and mirror source configurations.
  • Golden Pair Loader: src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/GoldenPairLoader.cs -- loads and validates golden pair records from the local file store, resolving binary artifact paths and associated diff reports.
  • Serialization: src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Serialization/ -- canonical JSON serialization for golden pair data ensuring deterministic output for hash comparison and attestation purposes.
  • Section Hash Provider: src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/SectionHashProvider.cs -- computes deterministic per-section hashes for binary artifacts, enabling reproducible diff comparisons across environments.

E2E Test Plan

  • Load a golden pair record via GoldenPairLoader and verify all required fields (CVE ID, package name, pre/post versions, distro) are populated and valid
  • Validate a golden pair metadata file against the schema from GoldenPairsSchemaProvider and verify it passes; then corrupt a required field and verify validation fails
  • Serialize a golden pair record via the canonical serializer, deserialize it back, and verify round-trip fidelity (all fields match, no data loss)
  • Compute section hashes for a binary artifact using SectionHashProvider on two separate runs and verify the hashes are identical (determinism check)
  • Load a diff report for a known CVE fix pair and verify it correctly identifies which binary sections changed between pre-patch and post-patch versions
  • Verify the schema provider covers all model types: golden pair records, diff reports, and mirror source configurations