stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
5fc469ad98760bda73590cc6f6c47836a024f956
git.stella-ops.org/src/Policy/__Libraries/StellaOps.Policy/TrustLattice/SecurityAtom.cs
StellaOps Bot 5fc469ad98 feat: Add VEX Status Chip component and integration tests for reachability drift detection 
- Introduced `VexStatusChipComponent` to display VEX status with color coding and tooltips.
- Implemented integration tests for reachability drift detection, covering various scenarios including drift detection, determinism, and error handling.
- Enhanced `ScannerToSignalsReachabilityTests` with a null implementation of `ICallGraphSyncService` for better test isolation.
- Updated project references to include the new Reachability Drift library.
2025-12-20 01:26:42 +02:00

125 lines
4.1 KiB
C#
Raw Blame History

/**
* Security Atoms - Canonical propositions for vulnerability disposition.
* Sprint: SPRINT_3600_0001_0001 (Trust Algebra and Lattice Engine)
* Task: TRUST-002
*
* Defines the orthogonal atomic propositions used to represent security
* knowledge about a Subject (artifact + component + vulnerability).
*
* External VEX formats (CycloneDX, OpenVEX, CSAF) are normalized into
* these canonical atoms for uniform aggregation and decision making.
*/
namespace StellaOps.Policy.TrustLattice;
/// <summary>
/// Canonical security propositions for vulnerability disposition.
/// Each atom is a boolean proposition that can have a K4 truth value.
/// </summary>
/// <remarks>
/// These atoms are intentionally orthogonal; external VEX formats
/// are normalized into combinations of these atoms.
/// </remarks>
public enum SecurityAtom
{
/// <summary>
/// PRESENT: The component instance exists in the artifact/context.
/// False when component is not actually in the artifact despite declaration.
/// </summary>
Present = 1,
/// <summary>
/// APPLIES: The vulnerability applies to this component (version/range/CPE match).
/// False when version is outside affected range.
/// </summary>
Applies = 2,
/// <summary>
/// REACHABLE: The vulnerable code is reachable in the given execution context.
/// False when code paths to vulnerability are not exercised.
/// </summary>
Reachable = 3,
/// <summary>
/// MITIGATED: Controls exist that prevent exploitation.
/// True when compiler protections, runtime guards, WAF rules, etc. are active.
/// </summary>
Mitigated = 4,
/// <summary>
/// FIXED: Remediation has been applied to the artifact.
/// True when patches, upgrades, or other fixes are in place.
/// </summary>
Fixed = 5,
/// <summary>
/// MISATTRIBUTED: The finding is a false association (false positive).
/// True when the vulnerability was incorrectly linked to this component.
/// </summary>
Misattributed = 6,
}
/// <summary>
/// Extension methods for SecurityAtom.
/// </summary>
public static class SecurityAtomExtensions
{
/// <summary>
/// Returns a human-readable display name for the atom.
/// </summary>
public static string ToDisplayName(this SecurityAtom atom) => atom switch
{
SecurityAtom.Present => "Component Present",
SecurityAtom.Applies => "Vulnerability Applies",
SecurityAtom.Reachable => "Code Reachable",
SecurityAtom.Mitigated => "Mitigations Active",
SecurityAtom.Fixed => "Remediation Applied",
SecurityAtom.Misattributed => "False Association",
_ => atom.ToString(),
};
/// <summary>
/// Returns the canonical string representation for serialization.
/// </summary>
public static string ToCanonicalName(this SecurityAtom atom) => atom switch
{
SecurityAtom.Present => "PRESENT",
SecurityAtom.Applies => "APPLIES",
SecurityAtom.Reachable => "REACHABLE",
SecurityAtom.Mitigated => "MITIGATED",
SecurityAtom.Fixed => "FIXED",
SecurityAtom.Misattributed => "MISATTRIBUTED",
_ => atom.ToString().ToUpperInvariant(),
};
/// <summary>
/// Parses a canonical name to SecurityAtom.
/// </summary>
public static SecurityAtom? FromCanonicalName(string name)
{
return name?.ToUpperInvariant() switch
{
"PRESENT" => SecurityAtom.Present,
"APPLIES" => SecurityAtom.Applies,
"REACHABLE" => SecurityAtom.Reachable,
"MITIGATED" => SecurityAtom.Mitigated,
"FIXED" => SecurityAtom.Fixed,
"MISATTRIBUTED" => SecurityAtom.Misattributed,
_ => null,
};
}
/// <summary>
/// Returns all defined security atoms.
/// </summary>
public static IEnumerable<SecurityAtom> All()
{
yield return SecurityAtom.Present;
yield return SecurityAtom.Applies;
yield return SecurityAtom.Reachable;
yield return SecurityAtom.Mitigated;
yield return SecurityAtom.Fixed;
yield return SecurityAtom.Misattributed;
}
}
Reference in New Issue View Git Blame Copy Permalink