stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/claim-id-generator-for-static-runtime-linkage.md

2.3 KiB
Raw Blame History

Claim ID Generator for Static-Runtime Linkage

Module

Scanner

Status

IMPLEMENTED

Description

Deterministic claim ID generator using format claim:<artifact-digest>:<path-hash> to link runtime observations to static reachability claims, with ObservationType enum (Static/Runtime/Confirmed).

Implementation Details

  • Claim ID Generator:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ClaimIdGenerator.cs - Generates deterministic claim IDs in claim:<artifact-digest>:<path-hash> format
  • Observation Type:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ObservationType.cs - ObservationType enum (Static/Runtime/Confirmed)
  • Path Witness Integration:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs - PathWitness model carries claim IDs for static-runtime linkage
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitnessBuilder.cs - Builder sets claim IDs during witness construction
  • Runtime Witness:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeWitnessRequest.cs - Runtime witness request carrying claim IDs
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeWitnessPredicateTypes.cs - Predicate types for runtime witnesses
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IRuntimeWitnessGenerator.cs - Interface for runtime witness generation
  • Claim Verification:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/FunctionMap/Verification/ClaimVerifier.cs - Verifies claim IDs match between static and runtime evidence
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/FunctionMap/Verification/IClaimVerifier.cs - Interface

E2E Test Plan

  • Scan an image and verify claim IDs are generated in claim:<artifact-digest>:<path-hash> format for each reachability path
  • Verify the same scan produces identical claim IDs deterministically
  • Submit runtime observation data with claim IDs and verify linkage to static reachability claims
  • Verify ClaimVerifier validates matching claim IDs between static and runtime evidence
  • Verify ObservationType transitions from Static to Confirmed when runtime evidence matches
  • Verify mismatched claim IDs are rejected by the verifier with appropriate error