2.6 KiB
2.6 KiB
Reachability Slice DSSE Predicate (Attestable Minimal Subgraph)
Module
Scanner
Status
IMPLEMENTED
Description
Defines attestable reachability slices as DSSE predicates (stellaops.dev/predicates/reachability-slice@v1) containing minimal subgraphs for specific CVE queries. Includes slice extraction from full call graphs, DSSE signing with CAS storage, and verdict computation (reachable/unreachable/unknown with confidence scores).
Implementation Details
- Slice Extraction:
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceExtractor.cs-SliceExtractorextracts minimal subgraphs from full call graphs for specific CVE queriessrc/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceModels.cs- Models for reachability slices including verdict (reachable/unreachable/unknown) with confidence scoressrc/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceSchema.cs- Schema definition forstellaops.dev/predicates/reachability-slice@v1predicate
- DSSE Signing:
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceDsseSigner.cs-SliceDsseSignersigns reachability slices as DSSE predicatessrc/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceHasher.cs-SliceHashercomputes content-addressed hashes for slice integrity
- CAS Storage:
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceCasStorage.cs-SliceCasStoragecontent-addressable storage for DSSE-signed reachability slices
- Policy Binding:
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/PolicyBinding.cs- Policy version binding for slices
- Observed Path Slices:
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/ObservedPathSliceGenerator.cs- Generates slices from runtime-observed paths
- Diff Computation:
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceDiffComputer.cs- Computes diffs between slice versions
E2E Test Plan
- Extract a reachability slice for a specific CVE and verify it contains the minimal subgraph (entrypoint to vulnerable function)
- Verify the slice is signed as a DSSE predicate with
stellaops.dev/predicates/reachability-slice@v1type - Verify the slice includes a verdict (reachable/unreachable/unknown) with a confidence score
- Verify DSSE signature verification passes for a correctly signed slice
- Verify CAS storage correctly stores and retrieves slices by content address
- Verify slice diff computation identifies changes between two slice versions for the same CVE