51 lines
3.8 KiB
Markdown
51 lines
3.8 KiB
Markdown
# DSSE-signed reversible decisions (MUTE_REACH, MUTE_VEX, ACK, EXCEPTION)
|
|
|
|
## Module
|
|
Policy
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
VEX decision signing service produces DSSE-signed decisions; exception objects model scoped, time-boxed exceptions with evidence requirements.
|
|
|
|
## Implementation Details
|
|
- **VerdictAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs` -- signs verdict decisions with DSSE envelopes
|
|
- `IVerdictAttestationService` interface
|
|
- `VerdictPredicate.cs` -- verdict predicate for attestation payload
|
|
- `VerdictPredicateBuilder.cs` -- fluent builder for verdict predicates
|
|
- `VerdictReasonCode.cs` -- reason codes for verdict decisions
|
|
- **PolicyDecisionAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/PolicyDecisionAttestationService.cs` -- signs policy decisions
|
|
- `IPolicyDecisionAttestationService` interface
|
|
- `PolicyDecisionPredicate.cs` -- decision predicate payload
|
|
- `PolicyDecisionAttestationOptions.cs` -- signing options
|
|
- **Exception Objects**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionObject.cs` -- scoped, time-boxed exception model
|
|
- Scope: CVE-level, package-level, or finding-level
|
|
- Time-boxing: ExpiresAt, auto-expire enforcement
|
|
- Evidence requirements: required evidence types per exception
|
|
- Status: Active, Expired, Revoked
|
|
- **Exception Application**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionApplication.cs` -- tracks when exceptions are applied to findings
|
|
- **Exception Events**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionEvent.cs` -- audit trail of exception lifecycle events (create, apply, expire, revoke)
|
|
- **Evidence Hooks**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/EvidenceHook.cs` -- hooks for evidence validation on exception approval
|
|
- **RecheckPolicy**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/RecheckPolicy.cs` -- recheck policy for exception revalidation
|
|
- **Exception Evaluator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs` -- evaluates exception applicability
|
|
- **Evidence Requirement Validator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs` -- validates evidence requirements are met
|
|
- **Recheck Evaluation Service**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/RecheckEvaluationService.cs` -- periodic recheck of exception validity
|
|
- **ExceptionRecheckGate**: `src/Policy/StellaOps.Policy.Engine/BuildGate/ExceptionRecheckGate.cs` -- build gate that rechecks exception validity
|
|
- **RVA Service**: `src/Policy/StellaOps.Policy.Engine/Attestation/RvaService.cs` -- Risk Verdict Attestation service
|
|
- `RvaBuilder.cs` -- builds RVA attestations
|
|
- `RvaVerifier.cs` -- verifies RVA attestation integrity
|
|
- `RvaPredicate.cs` -- RVA predicate model
|
|
|
|
## E2E Test Plan
|
|
- [ ] Create an exception with ExpiresAt in the future; verify exception is Active
|
|
- [ ] Apply exception to a finding; verify DSSE-signed decision envelope is produced
|
|
- [ ] Verify exception application is recorded in ExceptionEvent audit trail
|
|
- [ ] Wait for exception expiry; verify ExceptionRecheckGate detects expiration and re-evaluates finding
|
|
- [ ] Create exception with evidence requirements; verify EvidenceRequirementValidator blocks approval when evidence missing
|
|
- [ ] Verify signed verdict predicate contains: finding ID, CVE, decision, reason code, timestamp
|
|
- [ ] Verify PolicyDecisionAttestationService signs decisions with correct predicate payload
|
|
- [ ] Revoke an active exception; verify finding is re-evaluated without exception
|
|
- [ ] Run RecheckEvaluationService; verify exceptions past recheck policy interval are revalidated
|
|
- [ ] Verify RvaService builds and verifies Risk Verdict Attestation with scoring determinism
|