stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
7b01c7d6acd233c1fdfac71cad09fd266be6bfc9
git.stella-ops.org/docs/product-advisories/15-Nov-2026 - function-level vex explainability.md
master 7b01c7d6ac
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add comprehensive product advisories for improved scanner functionality 
- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations.
- Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency.
- Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results.
- Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages.
- Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange.
- Established a validation plan for quiet scans, focusing on provenance and CI integration.
- Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
2025-11-17 00:09:26 +02:00

4.3 KiB
Raw Blame History

Heres a tight idea I think youll like: make every VEX “nonaffected” verdict explain itself with provable, symbollevel evidence—not just “package X isnt reachable,” but “function Foo::bar() (the vulnerable sink) is never called in any admissible execution of image Y,” backed by cryptographic provenance.

Why this matters (quickly)

  • Trust: Auditors and customers can verify why you suppressed a CVE.
  • Quiet scanner: Fewer false alarms because decisions cite concrete callpaths (or their absence).
  • Moat: Competitors stop at file/package reachability; you show functionlevel proof tied to intoto attestations.

Core concept (plain)

Blend two things:

  1. Deterministic symbol reachability (per language): build minimal call graphs and mark whether the vulnerable symbol is callable from your apps entrypoints.
  2. intotoanchored provenance: sign the inputs and reasoning (rules, SBOM slice, callgraph hash, evidence artifacts), so the verdict can be independently reverified.

Result: each VEX decision is a verifiable miniproof.

What the evidence looks like (per CVE/component)

  • Symbol set: canonical IDs of vulnerable functions (e.g., pkg@ver#Type::Method(sig)).

  • Callgraph digest: hash of pruned call graph from app entrypoints to those symbols.

  • Evidence:

    • Static: “No path from any entrypoint → {vuln symbols} (k=0).”
    • Optional runtime: sampled traces (EventPipe/JFR/eBPF) show 0 hits to symbols/guards.

  • Context: build inputs (SBOM, lockfiles, compile units), framework models used, versions.

  • Attestation: intoto/DSSE signed bundle with reproducible scan manifest.

Minimal prototype this week (Scanner reachability scorer)

  1. Symbol mappers (MVP)

    • .NET: read PDB + IL to enumerate MethodDef symbols; map NuGet pkg → assembly → methods.
    • JVM: JAR index + method table (from ASM); map Maven coords → classes → methods.

  2. Entrypoint discovery

    • Docker CMD/ENTRYPOINT → process launch → managed main(s) (ASP.NET Program.Main, Spring Boot main).

  3. Shallow callgraph (no fancy pointsto yet):

    • Direct calls + common framework handoffs (ASP.NET routing → controller; Spring @RequestMapping → handler).

  4. Vuln ↔ symbol alignment

    • Heuristics: match GHSA/OSV “affected functions” or patch diff to infer symbol names; fallback to packagescope verdict with a flag “symbolinferred: false”.

  5. Decision object

    • ReachabilityDecision.json with: entrypoints, symbol set, path_count, notes, hashes.

  6. Attest

    • Emit reachability.intoto.jsonl (subject = image digest + SBOM component + symbol digest). Cosign with your test key.

  7. VEX output

    • OpenVEX statement reason: component_not_present or vulnerable_code_not_in_execute_path with justification_url → small HTML report (signed).

Data & schemas to add

  • Scanner.Reachability/

    • SymbolIndex (pkg → assemblies/classes/methods)
    • EntryPoints (per image, normalized)
    • CallGraphPruned (edges + hash)
    • Decision (path_count, evidence, versions)

  • Authority

    • Key management for DSSE; policy to require reachability evidence for “nonaffected”.

Language roadmap (fast win → harder)

  • Week 12: .NET + JVM shallow graphs + ASP.NET/Spring models.
  • Week 34: Node/TS (TS compiler API), Go (SSA), Python (import graph + common web frameworks).
  • Stretch: Rust/Swift (MIR/SIL summaries), native (symbols + coarse edges), Shell (exec chain).

Where to surface it (UX)

  • VEX details panel: “Nonaffected (0 call paths)” → expand → show entrypoints, collapsed edge list, trace hitcounts, and “Verify attestation” button.
  • CLI: stella scan --explain CVE-XYZ --verify-attestation.

Guardrails

  • If symbol mapping is uncertain, do not claim “nonaffected”; downgrade to “under review” with rationale.
  • Cache symbol indexes per package version; keep the callgraph pruned to entrypoint cones for speed.
  • Everything reproducible: the scan manifest (feeds, rule versions, hashes) must recreate the same decision bitforbit.

If you want, I can draft the exact C# namespaces, interfaces, and the OpenVEX + intoto payloads you can drop into Scanner.Reachability and Authority.Attest.