stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/signal-normalization-pipeline.md

2.1 KiB
Raw Blame History

Signal Normalization Pipeline

Module

Attestor

Status

IMPLEMENTED

Description

Signal normalization exists through the existing scoring engine and determinization evidence system, handling CVSS, KEV, EPSS, and other signal providers.

Implementation Details

  • Evidence Predicate: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/EvidencePredicate.cs -- evidence predicate capturing normalized signal data (CVSS scores, KEV status, EPSS probability).
  • Finding Summary: Predicates/FindingSummary.cs -- summary of a finding with normalized severity from multiple signal sources.
  • Scan Context Info: Predicates/ScanContextInfo.cs -- scanner context capturing which signal providers contributed data.
  • Verdict Inputs: Statements/VerdictInputs.cs -- records normalized signals as inputs to verdict decisions.
  • Verdict Decision: Statements/VerdictDecision.cs -- decision incorporating normalized signal data.
  • Statement Builder: Builders/StatementBuilder.cs -- builds attestations capturing normalized signal data.
  • Content-Addressed IDs: Identifiers/ContentAddressedIdGenerator.cs -- generates deterministic IDs from normalized signal payloads.
  • RFC 8785 Canonicalizer: Json/Rfc8785JsonCanonicalizer.cs -- deterministic serialization of signal data.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/SignalNormalizationTests.cs

E2E Test Plan

  • Create an EvidencePredicate with CVSS v3.1, CVSS v4.0, and EPSS data and verify all signals are captured
  • Normalize a finding with multiple signal sources and verify FindingSummary produces a consistent severity
  • Verify ScanContextInfo captures the signal providers (NVD, CISA KEV, EPSS) and their versions
  • Build a verdict with normalized signals as VerdictInputs and verify the decision references all signal sources
  • Canonicalize signal data via Rfc8785JsonCanonicalizer and verify deterministic output
  • Generate a content-addressed ID from normalized signals and verify it is deterministic
  • Verify signal normalization handles missing signals gracefully (e.g., no EPSS data available)