stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bd78523564bb268967f604801b431d72ffbb1103
git.stella-ops.org/docs/contracts/remediation-pr-v1.md
master b5829dce5c archive audit attempts
2026-02-19 22:07:11 +02:00

3.0 KiB
Raw Blame History

Remediation PR Predicate Schema v1

Predicate Type

https://stellaops.io/predicates/remediation-pr/v1

Purpose

Records the verification outcome of a remediation pull request, including scan delta evidence, reachability impact, and the signed fix-chain envelope. This predicate is produced at the end of the verification pipeline and attests that a specific PR either did or did not remediate the targeted CVE.

Subject

The subject is the PR submission record, identified by its UUID:

{
  "subject": [
    {
      "name": "pr-submission",
      "digest": {
        "sha256": "<submission-record-digest>"
      }
    }
  ]
}

Predicate Fields

Field Type Required Description
cveId string yes The CVE identifier being remediated
prUrl string yes URL of the pull request
repositoryUrl string yes URL of the target repository
sourceBranch string yes Source branch of the PR
targetBranch string yes Target branch of the PR
fixTemplateId string (UUID) no ID of the fix template used, if any
preScanDigest string no SHA-256 digest of the pre-merge SBOM scan
postScanDigest string no SHA-256 digest of the post-merge SBOM scan
reachabilityDeltaDigest string no SHA-256 digest of the reachability delta report
verdict string yes Verification outcome: fixed, partial, not_fixed, inconclusive
affectedPaths string[] no Call graph paths affected by the fix
contributorId string (UUID) no ID of the contributor who submitted the fix
contributorTrustScore number no Trust score of the contributor at verification time
verifiedAt string (ISO 8601) yes Timestamp of verification completion

Example

{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [
    {
      "name": "pr-submission",
      "digest": { "sha256": "abc123..." }
    }
  ],
  "predicateType": "https://stellaops.io/predicates/remediation-pr/v1",
  "predicate": {
    "cveId": "CVE-2024-1234",
    "prUrl": "https://github.com/org/repo/pull/42",
    "repositoryUrl": "https://github.com/org/repo",
    "sourceBranch": "fix/CVE-2024-1234",
    "targetBranch": "main",
    "fixTemplateId": "a1b2c3d4-...",
    "preScanDigest": "sha256:aaa...",
    "postScanDigest": "sha256:bbb...",
    "reachabilityDeltaDigest": "sha256:ccc...",
    "verdict": "fixed",
    "affectedPaths": [
      "com.example.App -> org.vuln.Lib.method()"
    ],
    "contributorId": "e5f6g7h8-...",
    "contributorTrustScore": 0.85,
    "verifiedAt": "2026-02-20T14:30:00Z"
  }
}

Envelope

The predicate is wrapped in a DSSE envelope and signed by the Remediation module's signing key. The fixChainDsseDigest on the PrSubmission record stores the SHA-256 digest of this envelope.

Related