stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/micro-witness-evidence.md

2.9 KiB
Raw Blame History

Micro-Witness Evidence (Function-Level)

Module

Attestor

Status

IMPLEMENTED

Description

Complete micro-witness system with binary refs, CVE refs, function-level evidence, verdict models, and tooling metadata for fine-grained reachability proof.

Implementation Details

  • Binary Micro-Witness Predicate: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryMicroWitnessPredicate.cs -- complete micro-witness combining binary ref, CVE ref, function evidence, SBOM ref, tooling, and verdicts.
  • Binary Reference: Predicates/MicroWitnessBinaryRef.cs -- identifies the binary artifact (name, version, digest, architecture).
  • CVE Reference: Predicates/MicroWitnessCveRef.cs -- CVE identifier with CVSS score, affected function, and advisory URL.
  • Function Evidence: Predicates/MicroWitnessFunctionEvidence.cs -- function-level evidence with call-stack depth, reachability status, and code location.
  • SBOM Reference: Predicates/MicroWitnessSbomRef.cs -- links micro-witness to an SBOM component entry (component name, version, bom-ref).
  • Tooling Metadata: Predicates/MicroWitnessTooling.cs -- captures the analysis tool (name, version, language, analysis type).
  • Verdicts: Predicates/MicroWitnessVerdicts.cs -- per-function reachability verdicts (Reachable, Unreachable, Unknown) with confidence.
  • Micro-Witness Statement: Statements/BinaryMicroWitnessStatement.cs -- in-toto statement wrapping the micro-witness predicate.
  • Reachability Witness: Statements/ReachabilityWitnessPayload.cs (with .Path) -- witness payload with call path data. ReachabilityWitnessStatement.cs -- in-toto wrapper.
  • Call Path Nodes: Statements/WitnessCallPathNode.cs, WitnessPathNode.cs -- individual nodes in the witness call path.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/BinaryMicroWitnessPredicateTests.cs

E2E Test Plan

  • Create a BinaryMicroWitnessPredicate with a MicroWitnessBinaryRef, MicroWitnessCveRef, and three MicroWitnessFunctionEvidence entries at different call-stack depths; verify the predicate is well-formed
  • Create MicroWitnessVerdicts with Reachable, Unreachable, and Unknown verdicts for different functions and verify each verdict has a confidence score
  • Verify MicroWitnessTooling captures language-specific analysis tools (e.g., Java call graph analyzer vs Python AST analyzer)
  • Verify MicroWitnessSbomRef correctly links the witness to an SBOM component by bom-ref
  • Build a BinaryMicroWitnessStatement and sign it into a DSSE envelope; verify the statement structure
  • Create a ReachabilityWitnessPayload with a call path of 5 WitnessCallPathNode entries and verify path traversal from entrypoint to sink
  • Verify function evidence at call-stack depth 0 (entrypoint) through depth N (vulnerable function) and confirm depth tracking is accurate