stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
7f865d7bc7f38a5ba17f2557580d8db9c8893bd7
git.stella-ops.org/docs/features/unchecked/attestor/binarydiff-binary-sca-attestation.md

2.4 KiB
Raw Blame History

BinaryDiff/Binary SCA Attestation

Module

Attestor

Status

IMPLEMENTED

Description

Binary diff predicate builder with DSSE signing/verification, section-level diff models, schema validation, and integration with evidence bundle exporter.

Implementation Details

  • Predicate Builder: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs (with .Build) -- constructs binary diff predicates from BinaryDiffFinding entries.
  • DSSE Signing/Verification: BinaryDiffDsseSigner.cs signs predicates. BinaryDiffDsseVerifier.cs (with .Helpers) verifies signed envelopes.
  • Serialization: BinaryDiffPredicateSerializer.cs (with .Normalize) -- deterministic normalization and serialization.
  • Schema Validation: BinaryDiffSchema.cs (with .SchemaJson) -- embedded JSON schema. BinaryDiffSchemaValidationResult.cs -- validation output.
  • Section Models: BinaryDiffSectionModels.cs -- ELF/PE section-level diff models. BinaryDiffModels.cs -- core models.
  • Evidence Bundle Integration: Evidence packs (src/Attestor/__Libraries/StellaOps.Attestor.EvidencePack/) include binary diff attestations in export bundles. ReleaseEvidencePackBuilder.cs aggregates binary SCA evidence.
  • DI: ServiceCollectionExtensions.cs -- registers builder, serializer, signer, verifier.
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiff/ -- BinaryDiffPredicateBuilderTests.cs, BinaryDiffPredicateSerializerTests.cs, BinaryDiffDsseSignerTests.cs, BinaryDiffSchemaValidationTests.cs, BinaryDiffTestData.cs

E2E Test Plan

  • Build a predicate from BinaryDiffFinding entries representing patched and unpatched sections, sign it, and verify the DSSE envelope
  • Validate the predicate against BinaryDiffSchema and verify it passes
  • Include the signed binary diff attestation in a ReleaseEvidencePackBuilder export and verify it appears in the evidence pack manifest
  • Serialize the predicate, modify a finding, re-serialize, and verify the normalized output differs
  • Create findings with ELF section changes (.text, .plt, .got) and verify BinaryDiffSectionModels captures each section
  • Verify DI registration via ServiceCollectionExtensions resolves all binary diff services correctly
  • Tamper with the DSSE envelope and verify BinaryDiffDsseVerifier rejects it