stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9ca2de05dff9c7db11eb49df6d4e47bbfe7a99f6
git.stella-ops.org/docs/features/checked/concelier/vex-conflict-resolution.md
master 9ca2de05df more features checks. setup improvements
2026-02-13 02:04:55 +02:00

29 lines
2.0 KiB
Markdown
Raw Blame History

# VEX conflict resolution (side-by-side merge with provenance)
## Module
Concelier
## Status
IMPLEMENTED
## Description
VEX conflict resolver and consensus engine merge statements from multiple sources with rationale models explaining merge outcomes.
## Implementation Details
- **Modules**: `src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/`
- **Key Classes**:
- `VexConflictResolver` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs`) - resolves conflicts between VEX statements from multiple sources with provenance-based precedence
- `VexConsumptionReporter` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs`) - reports VEX consumption outcomes and merge rationale
- `VexConsumptionPolicyLoader` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs`) - loads VEX consumption policies defining merge rules
- `VexConsumptionPolicyDefaults` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicy.cs`) - default merge policy configuration
- `VexConsumptionOptions` (`src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs`) - options for VEX consumption behavior
- **Interfaces**: `IVexConflictResolver`, `IVexConsumptionReporter`, `IVexConsumptionPolicyLoader`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Submit two conflicting VEX statements (affected vs not_affected) for the same CVE+product and verify the resolver produces a merged outcome with rationale
- [ ] Verify provenance-based precedence: vendor VEX statement takes precedence over community source
- [ ] Verify `VexConsumptionReporter` emits a report explaining why one statement won over another
- [ ] Verify policy-based resolution: load a custom merge policy and confirm it changes the resolution outcome
- [ ] Verify side-by-side preservation: both original statements remain accessible after merge
Reference in New Issue View Git Blame Copy Permalink