stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/binaryindex/binary-to-vex-claim-auto-generation.md

2.1 KiB
Raw Blame History

Binary-to-VEX Claim Auto-Generation (VexBridge Library)

Module

BinaryIndex

Status

IMPLEMENTED

Description

Automated generation of VEX claims from binary fingerprint match results. The VexBridge library translates binary match evidence into DSSE-signed VEX statements with confidence scores, enabling automated VEX claim production from binary analysis without manual triage.

Implementation Details

  • Modules: src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/
  • Key Classes:
    • VexEvidenceGenerator (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/VexEvidenceGenerator.cs) - generates VEX observations from BinaryVulnMatch results; maps FixState to VexClaimStatus (Fixed -> NotAffected, Vulnerable -> Affected, Unknown -> UnderInvestigation)
    • BinaryMatchEvidenceSchema (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/BinaryMatchEvidenceSchema.cs) - defines evidence schema with match type constants (BuildId, DeltaSignature, etc.)
    • VexBridgeOptions (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/VexBridgeOptions.cs) - configuration for confidence thresholds
    • DeltaSigVexBridge (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/VexIntegration/DeltaSigVexBridge.cs) - bridges delta-signature analysis results into VEX observations with provenance data
  • Interfaces: IVexEvidenceGenerator (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.VexBridge/IVexEvidenceGenerator.cs), IDeltaSigVexBridge

E2E Test Plan

  • Generate a VEX claim from a Fixed binary match and verify status is NotAffected with justification VulnerableCodeNotPresent
  • Generate a VEX claim from a Vulnerable match and verify status is Affected
  • Generate a VEX claim from an Unknown match and verify status is UnderInvestigation
  • Verify confidence threshold enforcement: low-confidence matches below threshold are rejected
  • Verify Build-ID references are included in VEX evidence when present
  • Verify DeltaSigVexBridge produces VEX observations with symbol provenance metadata
  • Verify generated VEX statements include correct DSSE evidence references