git.stella-ops.org/docs/features/unchecked/attestor/vex-integration-with-proof-carrying-verdicts.md

VEX Integration with Proof-Carrying Verdicts

Module

Attestor

Status

IMPLEMENTED

Description

VEX verdicts carry cryptographic proof references (proof_ref, proof_method, proof_confidence, evidence_summary). ProofAwareVexGenerator in Scanner orchestrates end-to-end flow: scanner detects CVE, BackportProofService generates proof, VexProofIntegrator embeds proof metadata in VEX verdict.

Implementation Details

• VEX Proof Integrator: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs (with .Helpers, .Metadata) -- embeds proof metadata (proof_ref, proof_method, proof_confidence) into VEX verdicts, linking verdicts to cryptographic evidence.
• VEX Verdict Proof Payload: Generators/VexVerdictProofPayload.cs -- payload containing the VEX verdict with embedded proof references and evidence summary.
• Backport Proof Generator: Generators/BackportProofGenerator.cs (with .CombineEvidence, .Confidence, .Status, .Tier1, .Tier2, .Tier3, .Tier3Signature, .Tier4, .VulnerableUnknown) -- generates multi-tier confidence-scored backport proofs that are referenced by VEX verdicts.
• Evidence Summary: Generators/EvidenceSummary.cs -- summary of evidence items supporting the VEX verdict (proof count, confidence range, evidence types).
• VEX Attestation Predicate: Predicates/VexAttestationPredicate.cs -- attestation predicate with proof-carrying verdict data.
• VEX Verdict Summary: Predicates/VexVerdictSummary.cs -- summary of proof-carrying VEX verdicts.
• VEX Verdict ID: Identifiers/VexVerdictId.cs -- content-addressed ID for the proof-carrying verdict.
• Binary Fingerprint Evidence Generator: Generators/BinaryFingerprintEvidenceGenerator.cs (with .Helpers) -- generates binary fingerprint evidence used as proof for VEX verdicts.
• VEX Verdict Statement: Statements/VexVerdictStatement.cs -- in-toto statement wrapping the proof-carrying verdict.
• Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/

E2E Test Plan

• Generate a backport proof via BackportProofGenerator.Tier1 (exact version match) with confidence 0.98 and verify the proof payload is created
• Embed the proof into a VEX verdict via VexProofIntegrator and verify the verdict contains proof_ref, proof_method="backport_tier1", and proof_confidence=0.98
• Generate a Tier3 proof (signature-based) and embed in VEX; verify proof_method="backport_tier3_signature" and confidence range 0.80-0.90
• Verify EvidenceSummary reports correct counts: create a verdict with 3 evidence items and verify the summary has count=3
• Create a proof-carrying VEX verdict for a not_affected CVE and verify the proof_ref points to a valid content-addressed proof bundle
• Generate a VexVerdictId from the proof-carrying verdict and verify it is deterministic
• Build a VexVerdictStatement with proof references and verify it is a valid in-toto statement
• Create a VEX verdict without proof and verify proof_ref is null, proof_confidence is 0, indicating no proof backing