stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/falsification-conditions-per-finding.md

1.5 KiB
Raw Blame History

Falsification Conditions Per Finding

Module

Scanner

Status

IMPLEMENTED

Description

Each vulnerability finding includes falsification conditions -- specific criteria that would disprove the finding, enabling evidence-based triage and automatic dismissal when conditions are met.

Implementation Details

  • Core Models:
    • src/Scanner/__Libraries/StellaOps.Scanner.Core/Models/FalsificationConditions.cs - Falsification conditions model attached to findings
  • Falsifiability Generation:
    • src/Scanner/__Libraries/StellaOps.Scanner.Explainability/Falsifiability/FalsifiabilityGenerator.cs - Generates falsification criteria per finding
    • src/Scanner/__Libraries/StellaOps.Scanner.Explainability/Falsifiability/FalsifiabilityCriteria.cs - Criteria model defining what would disprove a finding
  • DSSE Integration:
    • src/Scanner/__Libraries/StellaOps.Scanner.Explainability/Dsse/ExplainabilityPredicateSerializer.cs - Serializes falsification conditions in DSSE predicates

E2E Test Plan

  • Scan an image and verify vulnerability findings include falsification conditions
  • Verify falsification criteria specify concrete conditions (e.g., "function X is not called", "package Y is not in runtime classpath")
  • Verify automatic dismissal occurs when falsification conditions are met by evidence (e.g., reachability proves function is unreachable)
  • Verify falsification conditions are serialized in explainability predicates
  • Verify triage UI displays falsification conditions to help analysts evaluate findings