2.1 KiB
2.1 KiB
Proof Bundle API for Exploit Paths
Module
Scanner
Status
VERIFIED
Description
REST API (GET /triage/paths/{pathId}/proof) returning complete proof bundles aggregating reachability subgraph (nodes + edges), symbol map with source locations, VEX claims with trust scores, and computed bundle digest for integrity. Export endpoint for JSON file download.
Implementation Details
- Proof Bundle Storage:
src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresProofBundleRepository.cs-PostgresProofBundleRepositorystores and retrieves proof bundles for exploit pathssrc/Scanner/__Libraries/StellaOps.Scanner.Storage/Entities/ProofBundleRow.cs-ProofBundleRowdatabase entity for proof bundle persistence
- Proof Bundle Writer:
src/Scanner/__Libraries/StellaOps.Scanner.Core/ProofBundleWriter.cs-ProofBundleWriterassembles proof bundles aggregating reachability subgraph, symbol map, VEX claims, and computes bundle digest
- Scan Manifest:
src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/IScanManifestRepository.cs- Repository for scan manifest data linked to proof bundles
- OCI Publishing:
src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/VerdictOciPublisher.cs- Publishes proof bundles to OCI registries as attestation artifacts
E2E Test Plan
- Generate a proof bundle for an exploit path and retrieve it via the API, verifying it contains the reachability subgraph with nodes and edges
- Verify the proof bundle includes the symbol map with source file locations
- Verify the proof bundle includes VEX claims with trust scores for each finding
- Verify the computed bundle digest provides integrity verification
- Export the proof bundle as a JSON file and verify the download contains the complete bundle
- Verify proof bundles are publishable to OCI registries as attestation artifacts
Verification
| Check | Result |
|---|---|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |