36 lines
2.6 KiB
Markdown
36 lines
2.6 KiB
Markdown
# Reachability Slice DSSE Predicate (Attestable Minimal Subgraph)
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Defines attestable reachability slices as DSSE predicates (`stellaops.dev/predicates/reachability-slice@v1`) containing minimal subgraphs for specific CVE queries. Includes slice extraction from full call graphs, DSSE signing with CAS storage, and verdict computation (reachable/unreachable/unknown with confidence scores).
|
|
|
|
## Implementation Details
|
|
- **Slice Extraction**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceExtractor.cs` - `SliceExtractor` extracts minimal subgraphs from full call graphs for specific CVE queries
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceModels.cs` - Models for reachability slices including verdict (reachable/unreachable/unknown) with confidence scores
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceSchema.cs` - Schema definition for `stellaops.dev/predicates/reachability-slice@v1` predicate
|
|
- **DSSE Signing**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceDsseSigner.cs` - `SliceDsseSigner` signs reachability slices as DSSE predicates
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceHasher.cs` - `SliceHasher` computes content-addressed hashes for slice integrity
|
|
- **CAS Storage**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceCasStorage.cs` - `SliceCasStorage` content-addressable storage for DSSE-signed reachability slices
|
|
- **Policy Binding**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/PolicyBinding.cs` - Policy version binding for slices
|
|
- **Observed Path Slices**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/ObservedPathSliceGenerator.cs` - Generates slices from runtime-observed paths
|
|
- **Diff Computation**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceDiffComputer.cs` - Computes diffs between slice versions
|
|
|
|
## E2E Test Plan
|
|
- [ ] Extract a reachability slice for a specific CVE and verify it contains the minimal subgraph (entrypoint to vulnerable function)
|
|
- [ ] Verify the slice is signed as a DSSE predicate with `stellaops.dev/predicates/reachability-slice@v1` type
|
|
- [ ] Verify the slice includes a verdict (reachable/unreachable/unknown) with a confidence score
|
|
- [ ] Verify DSSE signature verification passes for a correctly signed slice
|
|
- [ ] Verify CAS storage correctly stores and retrieves slices by content address
|
|
- [ ] Verify slice diff computation identifies changes between two slice versions for the same CVE
|