stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bd78523564bb268967f604801b431d72ffbb1103
git.stella-ops.org/docs/contracts/remediation-pr-v1.md
master b5829dce5c archive audit attempts
2026-02-19 22:07:11 +02:00

89 lines
3.0 KiB
Markdown
Raw Blame History

# Remediation PR Predicate Schema v1
## Predicate Type
`https://stellaops.io/predicates/remediation-pr/v1`
## Purpose
Records the verification outcome of a remediation pull request, including scan delta evidence, reachability impact, and the signed fix-chain envelope. This predicate is produced at the end of the verification pipeline and attests that a specific PR either did or did not remediate the targeted CVE.
## Subject
The subject is the PR submission record, identified by its UUID:
```json
{
"subject": [
{
"name": "pr-submission",
"digest": {
"sha256": "<submission-record-digest>"
}
}
]
}
```
## Predicate Fields
| Field | Type | Required | Description |
|-------|------|----------|-------------|
| `cveId` | string | yes | The CVE identifier being remediated |
| `prUrl` | string | yes | URL of the pull request |
| `repositoryUrl` | string | yes | URL of the target repository |
| `sourceBranch` | string | yes | Source branch of the PR |
| `targetBranch` | string | yes | Target branch of the PR |
| `fixTemplateId` | string (UUID) | no | ID of the fix template used, if any |
| `preScanDigest` | string | no | SHA-256 digest of the pre-merge SBOM scan |
| `postScanDigest` | string | no | SHA-256 digest of the post-merge SBOM scan |
| `reachabilityDeltaDigest` | string | no | SHA-256 digest of the reachability delta report |
| `verdict` | string | yes | Verification outcome: `fixed`, `partial`, `not_fixed`, `inconclusive` |
| `affectedPaths` | string[] | no | Call graph paths affected by the fix |
| `contributorId` | string (UUID) | no | ID of the contributor who submitted the fix |
| `contributorTrustScore` | number | no | Trust score of the contributor at verification time |
| `verifiedAt` | string (ISO 8601) | yes | Timestamp of verification completion |
## Example
```json
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
"name": "pr-submission",
"digest": { "sha256": "abc123..." }
}
],
"predicateType": "https://stellaops.io/predicates/remediation-pr/v1",
"predicate": {
"cveId": "CVE-2024-1234",
"prUrl": "https://github.com/org/repo/pull/42",
"repositoryUrl": "https://github.com/org/repo",
"sourceBranch": "fix/CVE-2024-1234",
"targetBranch": "main",
"fixTemplateId": "a1b2c3d4-...",
"preScanDigest": "sha256:aaa...",
"postScanDigest": "sha256:bbb...",
"reachabilityDeltaDigest": "sha256:ccc...",
"verdict": "fixed",
"affectedPaths": [
"com.example.App -> org.vuln.Lib.method()"
],
"contributorId": "e5f6g7h8-...",
"contributorTrustScore": 0.85,
"verifiedAt": "2026-02-20T14:30:00Z"
}
}
```
## Envelope
The predicate is wrapped in a DSSE envelope and signed by the Remediation module's signing key. The `fixChainDsseDigest` on the `PrSubmission` record stores the SHA-256 digest of this envelope.
## Related
- [Remediation Architecture](../modules/remediation/architecture.md)
- [Triage Suppress Predicate](triage-suppress-v1.md)
- [Execution Evidence Contract](execution-evidence-v1.md)
Reference in New Issue View Git Blame Copy Permalink