stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/features/checked/evidencelocker/vex-evidence-auto-linking-service.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

29 lines
2.1 KiB
Markdown
Raw Blame History

# VEX Evidence Auto-Linking Service (IVexEvidenceLinker)
## Module
EvidenceLocker
## Status
IMPLEMENTED
## Description
Service that auto-links VEX assertions to supporting binary-diff evidence by matching patched findings to VEX entries, storing evidence URIs with confidence scores, and validating DSSE signatures before accepting links.
## Implementation Details
- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/`
- **Key Classes**:
- `EvidenceBundleRepository` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Repositories/EvidenceBundleRepository.cs`) - retrieves evidence bundles for VEX linking
- `EvidenceSignatureService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs`) - validates DSSE signatures before accepting evidence links
- `EvidenceIdentifiers` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceIdentifiers.cs`) - content-addressed identifiers for evidence linking
- `EvidenceBundleMetadata` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceBundleMetadata.cs`) - metadata including VEX link references
- **Interfaces**: `IEvidenceBundleRepository`, `IEvidenceSignatureService`
- **Source**: SPRINT_20260113_003_001_EXCITITOR_vex_evidence_linker.md
## E2E Test Plan
- [ ] Create a VEX assertion for a patched CVE and verify the service auto-links it to the corresponding binary-diff evidence
- [ ] Verify evidence URIs are stored with confidence scores reflecting the match quality
- [ ] Verify `EvidenceSignatureService` validates DSSE signatures on evidence before accepting the link
- [ ] Verify VEX entries without matching binary-diff evidence are not linked (no false positives)
- [ ] Verify linked evidence is queryable by VEX assertion ID and by CVE identifier
- [ ] Verify links are immutable: once created, evidence links cannot be modified without creating a new version
Reference in New Issue View Git Blame Copy Permalink