951a38d561
- Implemented CanonJson class for deterministic JSON serialization and hashing. - Added unit tests for CanonJson functionality, covering various scenarios including key sorting, handling of nested objects, arrays, and special characters. - Created project files for the Canonical JSON library and its tests, including necessary package references. - Added README.md for library usage and API reference. - Introduced RabbitMqIntegrationFactAttribute for conditional RabbitMQ integration tests.
VEX Lattice Benchmark Suite
Purpose: Verify VEX lattice merge semantics and jurisdiction rules. Status: Active Sprint: SPRINT_3850_0001_0001 (Competitive Gap Closure)
Overview
StellaOps implements VEX (Vulnerability Exploitability eXchange) with:
- Lattice-based merge semantics (stable outcomes)
- Jurisdiction-specific trust rules (US/EU/RU/CN)
- Source precedence and confidence weighting
- Deterministic conflict resolution
What Gets Tested
Lattice Properties
- Idempotency: merge(a, a) = a
- Commutativity: merge(a, b) = merge(b, a)
- Associativity: merge(merge(a, b), c) = merge(a, merge(b, c))
- Monotonicity: once "not_affected", never regresses
Status Precedence
Order from most to least specific:
not_affected(strongest)affected(with fix)under_investigationaffected(no fix)
Jurisdiction Rules
- US: FDA/NIST sources preferred
- EU: ENISA/BSI sources preferred
- RU: FSTEC sources preferred
- CN: CNVD sources preferred
Test Cases
TC-001: Idempotency
{
"input_a": { "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path" },
"input_b": { "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path" },
"expected": { "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path" }
}
TC-002: Commutativity
{
"merge_ab": "merge(vendor_vex, nvd_vex)",
"merge_ba": "merge(nvd_vex, vendor_vex)",
"expected": "identical_result"
}
TC-003: Associativity
{
"lhs": "merge(merge(a, b), c)",
"rhs": "merge(a, merge(b, c))",
"expected": "identical_result"
}
TC-004: Conflict Resolution
{
"vendor_says": "not_affected",
"nvd_says": "affected",
"expected": "not_affected",
"reason": "vendor_has_higher_precedence"
}
TC-005: Jurisdiction Override
{
"jurisdiction": "EU",
"bsi_says": "not_affected",
"nist_says": "affected",
"expected": "not_affected",
"reason": "bsi_preferred_in_eu"
}
Fixtures
fixtures/
├── lattice-properties/
│ ├── idempotency.json
│ ├── commutativity.json
│ └── associativity.json
├── conflict-resolution/
│ ├── vendor-vs-nvd.json
│ ├── multiple-vendors.json
│ └── timestamp-tiebreaker.json
├── jurisdiction-rules/
│ ├── us-fda-nist.json
│ ├── eu-enisa-bsi.json
│ ├── ru-fstec.json
│ └── cn-cnvd.json
└── expected/
└── all-tests.results.json
Running the Suite
# Run VEX lattice tests
dotnet test tests/StellaOps.Policy.Vex.Tests
# Run lattice property verification
./run-lattice-tests.sh
# Run jurisdiction rule tests
./run-jurisdiction-tests.sh
Metrics
| Metric | Target | Description |
|---|---|---|
| Lattice properties | 100% pass | All algebraic properties hold |
| Jurisdiction correctness | 100% pass | Correct source preferred by region |
| Merge determinism | 100% pass | Same inputs → same output |
Integration with CI
# .gitea/workflows/bench-vex-lattice.yaml
name: VEX Lattice Benchmark
on:
push:
paths:
- 'src/Policy/**'
- 'bench/vex-lattice/**'
jobs:
lattice:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Lattice Tests
run: dotnet test tests/StellaOps.Policy.Vex.Tests
- name: Run Property Tests
run: ./bench/vex-lattice/run-lattice-tests.sh