2.1 KiB
2.1 KiB
VEX Evidence Auto-Linking Service (IVexEvidenceLinker)
Module
EvidenceLocker
Status
IMPLEMENTED
Description
Service that auto-links VEX assertions to supporting binary-diff evidence by matching patched findings to VEX entries, storing evidence URIs with confidence scores, and validating DSSE signatures before accepting links.
Implementation Details
- Modules:
src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/,src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/ - Key Classes:
EvidenceBundleRepository(src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Repositories/EvidenceBundleRepository.cs) - retrieves evidence bundles for VEX linkingEvidenceSignatureService(src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs) - validates DSSE signatures before accepting evidence linksEvidenceIdentifiers(src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceIdentifiers.cs) - content-addressed identifiers for evidence linkingEvidenceBundleMetadata(src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceBundleMetadata.cs) - metadata including VEX link references
- Interfaces:
IEvidenceBundleRepository,IEvidenceSignatureService - Source: SPRINT_20260113_003_001_EXCITITOR_vex_evidence_linker.md
E2E Test Plan
- Create a VEX assertion for a patched CVE and verify the service auto-links it to the corresponding binary-diff evidence
- Verify evidence URIs are stored with confidence scores reflecting the match quality
- Verify
EvidenceSignatureServicevalidates DSSE signatures on evidence before accepting the link - Verify VEX entries without matching binary-diff evidence are not linked (no false positives)
- Verify linked evidence is queryable by VEX assertion ID and by CVE identifier
- Verify links are immutable: once created, evidence links cannot be modified without creating a new version