stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/vex-attestation-predicate-pipeline.md

2.8 KiB
Raw Blame History

VEX Attestation Predicate Pipeline

Module

Attestor

Status

IMPLEMENTED

Description

Complete VEX attestation pipeline from predicate creation through proof integration to verdict statements.

Implementation Details

  • VEX Attestation Predicate: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexAttestationPredicate.cs -- predicate model for VEX attestations containing per-component/CVE verdicts with proof references.
  • VEX Predicate: Predicates/VexPredicate.cs -- base VEX predicate with status, justification, and impact statement.
  • VEX Verdict Summary: Predicates/VexVerdictSummary.cs -- summary of VEX verdicts per subject.
  • VEX Status Counts: Predicates/VexStatusCounts.cs -- aggregate counts by VEX status (affected, not_affected, fixed, under_investigation).
  • VEX Document Reference: Predicates/VexDocumentReference.cs -- reference linking to the source VEX document.
  • VEX Proof Integrator: Generators/VexProofIntegrator.cs (with .Helpers, .Metadata) -- embeds cryptographic proof references (proof_ref, proof_method, proof_confidence) into VEX predicates.
  • VEX Verdict Proof Payload: Generators/VexVerdictProofPayload.cs -- payload binding VEX verdicts to proof chain evidence.
  • VEX Verdict Statement: Statements/VexVerdictStatement.cs -- in-toto statement wrapping the VEX verdict as an attestation.
  • VEX Verdict ID: Identifiers/VexVerdictId.cs -- content-addressed identifier for VEX verdicts.
  • Statement Builder: Builders/StatementBuilder.cs (with .Extended) -- builds in-toto statements for VEX predicates.
  • Predicate Schema Validator: Json/PredicateSchemaValidator.cs (with .Validators) -- validates VEX predicates against JSON schemas.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/

E2E Test Plan

  • Create a VexAttestationPredicate with 3 CVE verdicts (affected, not_affected, fixed) and verify each status is correctly set
  • Integrate proof references via VexProofIntegrator and verify each verdict contains proof_ref, proof_method, and proof_confidence fields
  • Build a VexVerdictStatement via StatementBuilder and verify it is a valid in-toto statement with the correct predicate type URI
  • Validate the VEX predicate against PredicateSchemaValidator and verify it passes schema validation
  • Generate a VexVerdictId from the verdict content and verify it is deterministic (same content produces same ID)
  • Create a VEX attestation with status counts and verify VexStatusCounts matches: 1 affected, 1 not_affected, 1 fixed
  • Create a malformed VEX predicate (missing required justification for not_affected) and verify schema validation fails
  • Build a VEX verdict proof payload and verify it contains the VEX document reference linking to the source VEX document