stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/vex-first-decisioning-pipeline.md

2.9 KiB
Raw Blame History

VEX-First Decisioning Pipeline

Module

Attestor

Status

IMPLEMENTED

Description

VEX-first decision pipeline with override predicates, proof integration, and attestation-backed VEX statements.

Implementation Details

  • VEX Override Predicate Builder: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicateBuilder.cs (with .Build, .Serialize, .WithMethods) -- constructs VEX override predicates with decision, justification, and evidence for the VEX-first pipeline.
  • VEX Override Predicate Parser: VexOverride/VexOverridePredicateParser.cs (with .DecisionValidation, .ExtractMetadata, .FieldValidation, .Helpers, .ParsePredicate, .Validation) -- parses and validates VEX override predicates.
  • VEX Override Decision: VexOverride/VexOverrideDecision.cs -- decision model applied before scanner findings.
  • VEX Override Predicate: VexOverride/VexOverridePredicate.cs -- predicate model for VEX overrides.
  • VEX Proof Integrator: __Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs (with .Helpers, .Metadata) -- integrates proof references into VEX verdicts.
  • VEX Verdict Proof Payload: Generators/VexVerdictProofPayload.cs -- proof-carrying VEX verdict payload.
  • VEX Attestation Predicate: Predicates/VexAttestationPredicate.cs -- attestation predicate for VEX decisions.
  • VEX Predicate: Predicates/VexPredicate.cs -- base VEX predicate model.
  • VEX Verdict Statement: Statements/VexVerdictStatement.cs -- in-toto statement wrapping the VEX verdict.
  • Policy Decision: Predicates/PolicyDecision.cs -- policy decision that may reference VEX overrides.
  • Evidence Reference: VexOverride/EvidenceReference.cs -- evidence supporting the VEX decision.
  • Tool Info: VexOverride/ToolInfo.cs -- tool information for the decision source.
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/VexOverride/

E2E Test Plan

  • Apply a VEX override (not_affected) to a CVE before scanning and verify the override predicate is created with justification and evidence
  • Run the VEX-first pipeline: apply override, then integrate proof via VexProofIntegrator; verify the final verdict carries proof references
  • Build a VexVerdictStatement from the VEX-first pipeline output and verify it is a valid in-toto attestation
  • Override a CVE as not_affected, then receive a scanner finding for the same CVE; verify the VEX override takes precedence
  • Apply multiple VEX overrides and verify each generates a separate VexOverridePredicate with independent evidence
  • Parse a VEX override predicate and verify all decision fields, justification, and evidence references are correctly extracted
  • Verify VEX-first with proof: create an override backed by backport proof and verify VexVerdictProofPayload references the proof
  • Create a VEX override without required justification and verify validation rejects it