stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9b58589ba01342d5df7ab3bbfd7370cc970cdd21
git.stella-ops.org/docs/features/unchecked/scanner/signed-triage-decisions.md

2.5 KiB
Raw Blame History

Signed Triage Decisions

Module

Scanner

Status

IMPLEMENTED

Description

Triage decisions are tracked with rationale, evidence linkage, and unified evidence composition supporting attestation chains.

Implementation Details

  • Triage Decision Model:
    • src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageDecision.cs - TriageDecision entity tracking triage decisions with rationale, user attribution, and evidence linkage
    • src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageFinding.cs - TriageFinding entity linking findings to triage decisions
    • src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageEvidenceArtifact.cs - TriageEvidenceArtifact linking evidence artifacts to triage decisions for attestation chains
    • src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageEnums.cs - Enums for triage status, decision types, and evidence artifact types
  • Database Context:
    • src/Scanner/__Libraries/StellaOps.Scanner.Triage/TriageDbContext.cs - TriageDbContext EF Core database context for triage persistence
  • Unified Evidence:
    • src/Scanner/StellaOps.Scanner.WebService/Services/UnifiedEvidenceService.cs - UnifiedEvidenceService composing triage decisions with unified evidence for attestation
  • Triage Status Service:
    • src/Scanner/StellaOps.Scanner.WebService/Services/TriageStatusService.cs - TriageStatusService managing triage workflow state transitions
  • API Contracts:
    • src/Scanner/StellaOps.Scanner.WebService/Contracts/TriageContracts.cs - API contracts for triage decision endpoints
  • Tests:
    • src/Scanner/__Tests/StellaOps.Scanner.Triage.Tests/TriageSchemaIntegrationTests.cs - Schema integration tests
    • src/Scanner/__Tests/StellaOps.Scanner.Triage.Tests/TriageQueryPerformanceTests.cs - Query performance tests

E2E Test Plan

  • Create a triage decision for a vulnerability finding with rationale and verify it persists with correct evidence linkage
  • Verify triage decisions include user attribution (who made the decision and when)
  • Verify UnifiedEvidenceService composes triage decisions into attestation-compatible evidence chains
  • Verify triage decision state transitions follow the expected workflow (e.g., Open -> Accepted/Rejected -> Closed)
  • Verify TriageEvidenceArtifact links supporting evidence (scan results, VEX statements, reachability analysis) to triage decisions
  • Verify triage query performance is within acceptable limits for large finding sets