stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/noise-ledger.md

2.5 KiB
Raw Blame History

Noise Ledger (Audit Log of Suppressions)

Module

Attestor

Status

IMPLEMENTED

Description

Suppression witnesses and audit hash logging exist in the backend. CLI audit commands exist. A dedicated "Noise Ledger" UX component is not present, though the underlying audit/suppression infrastructure is in place.

What's Implemented

  • Audit Hash Logger: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs (with .Validation) -- tamper-evident audit logging for all actions including suppressions.
  • Hash Audit Record: Audit/HashAuditRecord.cs -- individual audit record with hash chain.
  • Audit Artifact Types: Audit/AuditArtifactTypes.cs -- enumeration of auditable artifact types.
  • VEX Override System: __Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/ -- structured VEX overrides (suppressions) with evidence and justification.
  • Change Trace Attestation Service: ProofChain/ChangeTrace/ChangeTraceAttestationService.cs -- tracks changes including suppressions.
  • VEX Delta Tracking: Predicates/VexDeltaPredicate.cs, VexDeltaChange.cs -- tracks VEX status transitions.

What's Missing

  • Dedicated Noise Ledger service: No standalone service aggregating all suppression/noise decisions into a queryable ledger.
  • Noise Ledger UI component: No frontend page showing a filterable, sortable list of all suppressions with justifications and evidence.
  • Suppression statistics: No aggregated statistics (suppressions per severity, per component, per time period).
  • Suppression review workflow: No periodic review workflow that surfaces suppressions due for re-evaluation.
  • Suppression export: No dedicated export format for suppression audit trail (e.g., for compliance reporting).
  • Noise pattern detection: No automated detection of noise patterns (e.g., same CVE suppressed across all environments).

Implementation Plan

  • Create NoiseLedgerService aggregating suppressions from VEX overrides, audit logs, and change traces
  • Add REST endpoints for querying the noise ledger with filtering/pagination
  • Build Angular UI component showing suppression list with details, justification, and evidence links
  • Implement suppression statistics and trend analysis
  • Add periodic review workflow surfacing stale suppressions
  • Add export functionality for compliance auditors
  • Add tests for ledger aggregation, statistics, and review scheduling

Related Documentation

  • Source: See feature catalog