370 lines
11 KiB
JSON
370 lines
11 KiB
JSON
{
|
|
"$schema": "http://json-schema.org/draft-07/schema#",
|
|
"$id": "https://stellaops.dev/schemas/stellaops.suppression.v1.schema.json",
|
|
"title": "StellaOps Suppression Witness v1",
|
|
"description": "A DSSE-signable suppression witness documenting why a vulnerability is not exploitable",
|
|
"type": "object",
|
|
"required": [
|
|
"witness_schema",
|
|
"witness_id",
|
|
"artifact",
|
|
"vuln",
|
|
"suppression_type",
|
|
"evidence",
|
|
"confidence",
|
|
"observed_at"
|
|
],
|
|
"properties": {
|
|
"witness_schema": {
|
|
"type": "string",
|
|
"const": "stellaops.suppression.v1",
|
|
"description": "Schema version identifier"
|
|
},
|
|
"witness_id": {
|
|
"type": "string",
|
|
"pattern": "^sup:sha256:[a-f0-9]{64}$",
|
|
"description": "Content-addressed witness ID (e.g., 'sup:sha256:...')"
|
|
},
|
|
"artifact": {
|
|
"$ref": "#/definitions/WitnessArtifact",
|
|
"description": "The artifact (SBOM, component) this witness relates to"
|
|
},
|
|
"vuln": {
|
|
"$ref": "#/definitions/WitnessVuln",
|
|
"description": "The vulnerability this witness concerns"
|
|
},
|
|
"suppression_type": {
|
|
"type": "string",
|
|
"enum": [
|
|
"Unreachable",
|
|
"LinkerGarbageCollected",
|
|
"FeatureFlagDisabled",
|
|
"PatchedSymbol",
|
|
"GateBlocked",
|
|
"CompileTimeExcluded",
|
|
"VexNotAffected",
|
|
"FunctionAbsent",
|
|
"VersionNotAffected",
|
|
"PlatformNotAffected"
|
|
],
|
|
"description": "The type of suppression (unreachable, patched, gate-blocked, etc.)"
|
|
},
|
|
"evidence": {
|
|
"$ref": "#/definitions/SuppressionEvidence",
|
|
"description": "Evidence supporting the suppression claim"
|
|
},
|
|
"confidence": {
|
|
"type": "number",
|
|
"minimum": 0.0,
|
|
"maximum": 1.0,
|
|
"description": "Confidence level in this suppression [0.0, 1.0]"
|
|
},
|
|
"expires_at": {
|
|
"type": "string",
|
|
"format": "date-time",
|
|
"description": "Optional expiration date for time-bounded suppressions (UTC ISO-8601)"
|
|
},
|
|
"observed_at": {
|
|
"type": "string",
|
|
"format": "date-time",
|
|
"description": "When this witness was generated (UTC ISO-8601)"
|
|
},
|
|
"justification": {
|
|
"type": "string",
|
|
"description": "Optional justification narrative"
|
|
}
|
|
},
|
|
"additionalProperties": false,
|
|
"definitions": {
|
|
"WitnessArtifact": {
|
|
"type": "object",
|
|
"required": ["sbom_digest", "component_purl"],
|
|
"properties": {
|
|
"sbom_digest": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$",
|
|
"description": "SHA-256 digest of the SBOM"
|
|
},
|
|
"component_purl": {
|
|
"type": "string",
|
|
"pattern": "^pkg:",
|
|
"description": "Package URL of the vulnerable component"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"WitnessVuln": {
|
|
"type": "object",
|
|
"required": ["id", "source", "affected_range"],
|
|
"properties": {
|
|
"id": {
|
|
"type": "string",
|
|
"description": "Vulnerability identifier (e.g., 'CVE-2024-12345')"
|
|
},
|
|
"source": {
|
|
"type": "string",
|
|
"description": "Vulnerability source (e.g., 'NVD', 'OSV', 'GHSA')"
|
|
},
|
|
"affected_range": {
|
|
"type": "string",
|
|
"description": "Affected version range expression"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"SuppressionEvidence": {
|
|
"type": "object",
|
|
"required": ["witness_evidence"],
|
|
"properties": {
|
|
"witness_evidence": {
|
|
"$ref": "#/definitions/WitnessEvidence"
|
|
},
|
|
"unreachability": {
|
|
"$ref": "#/definitions/UnreachabilityEvidence"
|
|
},
|
|
"patched_symbol": {
|
|
"$ref": "#/definitions/PatchedSymbolEvidence"
|
|
},
|
|
"function_absent": {
|
|
"$ref": "#/definitions/FunctionAbsentEvidence"
|
|
},
|
|
"gate_blocked": {
|
|
"$ref": "#/definitions/GateBlockedEvidence"
|
|
},
|
|
"feature_flag": {
|
|
"$ref": "#/definitions/FeatureFlagEvidence"
|
|
},
|
|
"vex_statement": {
|
|
"$ref": "#/definitions/VexStatementEvidence"
|
|
},
|
|
"version_range": {
|
|
"$ref": "#/definitions/VersionRangeEvidence"
|
|
},
|
|
"linker_gc": {
|
|
"$ref": "#/definitions/LinkerGcEvidence"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"WitnessEvidence": {
|
|
"type": "object",
|
|
"required": ["callgraph_digest"],
|
|
"properties": {
|
|
"callgraph_digest": {
|
|
"type": "string",
|
|
"description": "BLAKE3 digest of the call graph used"
|
|
},
|
|
"surface_digest": {
|
|
"type": "string",
|
|
"description": "SHA-256 digest of the attack surface manifest"
|
|
},
|
|
"analysis_config_digest": {
|
|
"type": "string",
|
|
"description": "SHA-256 digest of the analysis configuration"
|
|
},
|
|
"build_id": {
|
|
"type": "string",
|
|
"description": "Build identifier for the analyzed artifact"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"UnreachabilityEvidence": {
|
|
"type": "object",
|
|
"required": ["analyzed_entrypoints", "unreachable_symbol", "analysis_method", "graph_digest"],
|
|
"properties": {
|
|
"analyzed_entrypoints": {
|
|
"type": "integer",
|
|
"minimum": 0,
|
|
"description": "Number of entrypoints analyzed"
|
|
},
|
|
"unreachable_symbol": {
|
|
"type": "string",
|
|
"description": "Vulnerable symbol that was confirmed unreachable"
|
|
},
|
|
"analysis_method": {
|
|
"type": "string",
|
|
"description": "Analysis method (static, dynamic, hybrid)"
|
|
},
|
|
"graph_digest": {
|
|
"type": "string",
|
|
"description": "Graph digest for reproducibility"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"FunctionAbsentEvidence": {
|
|
"type": "object",
|
|
"required": ["function_name", "binary_digest", "verification_method"],
|
|
"properties": {
|
|
"function_name": {
|
|
"type": "string",
|
|
"description": "Vulnerable function name"
|
|
},
|
|
"binary_digest": {
|
|
"type": "string",
|
|
"description": "Binary digest where function was checked"
|
|
},
|
|
"verification_method": {
|
|
"type": "string",
|
|
"description": "Verification method (symbol table scan, disassembly, etc.)"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"GateBlockedEvidence": {
|
|
"type": "object",
|
|
"required": ["detected_gates", "gate_coverage_percent", "effectiveness"],
|
|
"properties": {
|
|
"detected_gates": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/definitions/DetectedGate"
|
|
},
|
|
"description": "Detected gates along all paths to vulnerable code"
|
|
},
|
|
"gate_coverage_percent": {
|
|
"type": "integer",
|
|
"minimum": 0,
|
|
"maximum": 100,
|
|
"description": "Minimum gate coverage percentage [0, 100]"
|
|
},
|
|
"effectiveness": {
|
|
"type": "string",
|
|
"description": "Gate effectiveness assessment"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"DetectedGate": {
|
|
"type": "object",
|
|
"required": ["type", "guard_symbol", "confidence"],
|
|
"properties": {
|
|
"type": {
|
|
"type": "string",
|
|
"description": "Gate type (authRequired, inputValidation, rateLimited, etc.)"
|
|
},
|
|
"guard_symbol": {
|
|
"type": "string",
|
|
"description": "Symbol that implements the gate"
|
|
},
|
|
"confidence": {
|
|
"type": "number",
|
|
"minimum": 0.0,
|
|
"maximum": 1.0,
|
|
"description": "Confidence level (0.0 - 1.0)"
|
|
},
|
|
"detail": {
|
|
"type": "string",
|
|
"description": "Human-readable detail about the gate"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"PatchedSymbolEvidence": {
|
|
"type": "object",
|
|
"required": ["vulnerable_symbol", "patched_symbol", "symbol_diff"],
|
|
"properties": {
|
|
"vulnerable_symbol": {
|
|
"type": "string",
|
|
"description": "Vulnerable symbol identifier"
|
|
},
|
|
"patched_symbol": {
|
|
"type": "string",
|
|
"description": "Patched symbol identifier"
|
|
},
|
|
"symbol_diff": {
|
|
"type": "string",
|
|
"description": "Symbol diff showing the patch"
|
|
},
|
|
"patch_ref": {
|
|
"type": "string",
|
|
"description": "Patch commit or release reference"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"VexStatementEvidence": {
|
|
"type": "object",
|
|
"required": ["vex_id", "vex_author", "vex_status", "vex_digest"],
|
|
"properties": {
|
|
"vex_id": {
|
|
"type": "string",
|
|
"description": "VEX statement identifier"
|
|
},
|
|
"vex_author": {
|
|
"type": "string",
|
|
"description": "VEX statement author/authority"
|
|
},
|
|
"vex_status": {
|
|
"type": "string",
|
|
"enum": ["not_affected", "fixed"],
|
|
"description": "VEX statement status"
|
|
},
|
|
"vex_digest": {
|
|
"type": "string",
|
|
"description": "Content digest of the VEX document"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"FeatureFlagEvidence": {
|
|
"type": "object",
|
|
"required": ["flag_name", "flag_state", "verification_source"],
|
|
"properties": {
|
|
"flag_name": {
|
|
"type": "string",
|
|
"description": "Feature flag name/key"
|
|
},
|
|
"flag_state": {
|
|
"type": "string",
|
|
"description": "Feature flag state (off, disabled)"
|
|
},
|
|
"verification_source": {
|
|
"type": "string",
|
|
"description": "Source of flag verification (config file, runtime)"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"VersionRangeEvidence": {
|
|
"type": "object",
|
|
"required": ["actual_version", "affected_range", "comparison_method"],
|
|
"properties": {
|
|
"actual_version": {
|
|
"type": "string",
|
|
"description": "Actual version of the component"
|
|
},
|
|
"affected_range": {
|
|
"type": "string",
|
|
"description": "Affected version range from advisory"
|
|
},
|
|
"comparison_method": {
|
|
"type": "string",
|
|
"description": "Version comparison method used"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
},
|
|
"LinkerGcEvidence": {
|
|
"type": "object",
|
|
"required": ["removed_symbol", "linker_method", "verification_digest"],
|
|
"properties": {
|
|
"removed_symbol": {
|
|
"type": "string",
|
|
"description": "Symbol removed by linker GC"
|
|
},
|
|
"linker_method": {
|
|
"type": "string",
|
|
"description": "Linker garbage collection method"
|
|
},
|
|
"verification_digest": {
|
|
"type": "string",
|
|
"description": "Digest of final binary for verification"
|
|
}
|
|
},
|
|
"additionalProperties": false
|
|
}
|
|
}
|
|
}
|