3.8 KiB
3.8 KiB
DSSE-signed reversible decisions (MUTE_REACH, MUTE_VEX, ACK, EXCEPTION)
Module
Policy
Status
IMPLEMENTED
Description
VEX decision signing service produces DSSE-signed decisions; exception objects model scoped, time-boxed exceptions with evidence requirements.
Implementation Details
- VerdictAttestationService:
src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs-- signs verdict decisions with DSSE envelopesIVerdictAttestationServiceinterfaceVerdictPredicate.cs-- verdict predicate for attestation payloadVerdictPredicateBuilder.cs-- fluent builder for verdict predicatesVerdictReasonCode.cs-- reason codes for verdict decisions
- PolicyDecisionAttestationService:
src/Policy/StellaOps.Policy.Engine/Attestation/PolicyDecisionAttestationService.cs-- signs policy decisionsIPolicyDecisionAttestationServiceinterfacePolicyDecisionPredicate.cs-- decision predicate payloadPolicyDecisionAttestationOptions.cs-- signing options
- Exception Objects:
src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionObject.cs-- scoped, time-boxed exception model- Scope: CVE-level, package-level, or finding-level
- Time-boxing: ExpiresAt, auto-expire enforcement
- Evidence requirements: required evidence types per exception
- Status: Active, Expired, Revoked
- Exception Application:
src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionApplication.cs-- tracks when exceptions are applied to findings - Exception Events:
src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionEvent.cs-- audit trail of exception lifecycle events (create, apply, expire, revoke) - Evidence Hooks:
src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/EvidenceHook.cs-- hooks for evidence validation on exception approval - RecheckPolicy:
src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/RecheckPolicy.cs-- recheck policy for exception revalidation - Exception Evaluator:
src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs-- evaluates exception applicability - Evidence Requirement Validator:
src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs-- validates evidence requirements are met - Recheck Evaluation Service:
src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/RecheckEvaluationService.cs-- periodic recheck of exception validity - ExceptionRecheckGate:
src/Policy/StellaOps.Policy.Engine/BuildGate/ExceptionRecheckGate.cs-- build gate that rechecks exception validity - RVA Service:
src/Policy/StellaOps.Policy.Engine/Attestation/RvaService.cs-- Risk Verdict Attestation serviceRvaBuilder.cs-- builds RVA attestationsRvaVerifier.cs-- verifies RVA attestation integrityRvaPredicate.cs-- RVA predicate model
E2E Test Plan
- Create an exception with ExpiresAt in the future; verify exception is Active
- Apply exception to a finding; verify DSSE-signed decision envelope is produced
- Verify exception application is recorded in ExceptionEvent audit trail
- Wait for exception expiry; verify ExceptionRecheckGate detects expiration and re-evaluates finding
- Create exception with evidence requirements; verify EvidenceRequirementValidator blocks approval when evidence missing
- Verify signed verdict predicate contains: finding ID, CVE, decision, reason code, timestamp
- Verify PolicyDecisionAttestationService signs decisions with correct predicate payload
- Revoke an active exception; verify finding is re-evaluated without exception
- Run RecheckEvaluationService; verify exceptions past recheck policy interval are revalidated
- Verify RvaService builds and verifies Risk Verdict Attestation with scoring determinism