stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/evidence-requirement-validation-for-exceptions.md

2.5 KiB
Raw Blame History

Evidence Requirement Validation for Exceptions

Module

Policy

Status

IMPLEMENTED

Description

Validates that exceptions include required evidence (attestation IDs, VEX notes, reachability proofs) before approval.

Implementation Details

  • EvidenceRequirementValidator: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs
    • Validates all required evidence is present for exception approval
    • Checks: attestation IDs, VEX notes, reachability proofs, security review evidence
    • Evidence freshness validation: age vs MaxAge threshold
    • Trust score validation: minimum score for evidence acceptance
    • DSSE signature verification: validates signed evidence
    • Returns detailed validation result with per-requirement status
  • ExceptionObject: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionObject.cs -- exception model with evidence requirements
    • Required evidence types defined per exception scope
    • Scopes: CVE-level, package-level, finding-level
  • EvidenceHook: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/EvidenceHook.cs -- evidence hook configuration
    • Mandatory flag, MaxAge, trust score threshold, DSSE requirement
  • ExceptionEvaluator: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs -- evaluates exception applicability with evidence checks
  • ExceptionApplication: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionApplication.cs -- tracks exception applications with evidence snapshot
  • Exception Repositories: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Repositories/ -- persistence for exceptions and evidence

E2E Test Plan

  • Create exception requiring attestation ID; verify validation fails when attestation ID is missing
  • Create exception requiring VEX note; provide valid VEX note; verify validation passes
  • Create exception requiring reachability proof; provide proof; verify validation passes
  • Validate evidence with expired MaxAge; verify freshness check fails
  • Validate evidence with trust score below minimum; verify trust check fails
  • Create exception with multiple required evidence types; provide all; verify validation passes
  • Create exception with multiple required evidence types; omit one; verify validation fails with specific missing requirement
  • Verify ExceptionApplication records the evidence snapshot at time of application
  • Verify exception evaluator checks evidence requirements before determining applicability