stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
b851aa8300b7febfb2e661443c8e39df13fa4e22
git.stella-ops.org/docs/features/checked/scanner/reachability-slice-dsse-predicate.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.8 KiB
Raw Blame History

Reachability Slice DSSE Predicate (Attestable Minimal Subgraph)

Module

Scanner

Status

VERIFIED

Description

Defines attestable reachability slices as DSSE predicates (stellaops.dev/predicates/reachability-slice@v1) containing minimal subgraphs for specific CVE queries. Includes slice extraction from full call graphs, DSSE signing with CAS storage, and verdict computation (reachable/unreachable/unknown with confidence scores).

Implementation Details

  • Slice Extraction:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceExtractor.cs - SliceExtractor extracts minimal subgraphs from full call graphs for specific CVE queries
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceModels.cs - Models for reachability slices including verdict (reachable/unreachable/unknown) with confidence scores
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceSchema.cs - Schema definition for stellaops.dev/predicates/reachability-slice@v1 predicate
  • DSSE Signing:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceDsseSigner.cs - SliceDsseSigner signs reachability slices as DSSE predicates
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceHasher.cs - SliceHasher computes content-addressed hashes for slice integrity
  • CAS Storage:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceCasStorage.cs - SliceCasStorage content-addressable storage for DSSE-signed reachability slices
  • Policy Binding:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/PolicyBinding.cs - Policy version binding for slices
  • Observed Path Slices:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/ObservedPathSliceGenerator.cs - Generates slices from runtime-observed paths
  • Diff Computation:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceDiffComputer.cs - Computes diffs between slice versions

E2E Test Plan

  • Extract a reachability slice for a specific CVE and verify it contains the minimal subgraph (entrypoint to vulnerable function)
  • Verify the slice is signed as a DSSE predicate with stellaops.dev/predicates/reachability-slice@v1 type
  • Verify the slice includes a verdict (reachable/unreachable/unknown) with a confidence score
  • Verify DSSE signature verification passes for a correctly signed slice
  • Verify CAS storage correctly stores and retrieves slices by content address
  • Verify slice diff computation identifies changes between two slice versions for the same CVE

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z