Evidence
Status: Design/Planning Source: N/A (cross-cutting concept) Owner: Platform Team
Purpose
Evidence defines the unified evidence model for vulnerability findings across StellaOps. Provides canonical data structures for evidence capture, aggregation, and scoring used by Signals, Policy Engine, and EvidenceLocker modules.
Components
Concept Documentation:
unified-model.md- Unified evidence data model specification
Evidence Types:
- Reachability evidence (call graph, data flow)
- Runtime evidence (eBPF traces, dynamic observations)
- Binary evidence (backport detection, fix validation)
- Exploit evidence (EPSS scores, KEV flags, exploit-db entries)
- VEX evidence (source trust, statement provenance)
- Mitigation evidence (active mitigations, compensating controls)
Implementation Locations
Evidence structures are implemented across multiple modules:
- Signals - Evidence aggregation and normalization
- Policy Engine - Reachability analysis and evidence generation
- EvidenceLocker - Evidence storage and sealing
- Scanner - Binary and vulnerability evidence capture
- Concelier - Backport and exploit evidence enrichment
Dependencies
- All evidence-producing modules (Scanner, Policy, Concelier, etc.)
- Signals (evidence aggregation)
- EvidenceLocker (evidence storage)
Related Documentation
- Unified Model:
./unified-model.md - Signals:
../signals/ - Policy:
../policy/ - EvidenceLocker:
../evidence-locker/ - Data Schemas:
../../11_DATA_SCHEMAS.md
Current Status
Evidence model documented in unified-model.md. Implementation distributed across Signals (aggregation), Policy (reachability), EvidenceLocker (storage), and Scanner (capture) modules.