stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/smart-diff-material-risk-change-detection.md

3.5 KiB
Raw Blame History

Smart-Diff Material Risk Change Detection (R1-R4 Rules, Reachability Integration)

Module

Scanner

Status

IMPLEMENTED

Description

MaterialRiskChangeDetector implementing rules R1-R4 (Reachability flip, VEX status flip, affected range boundary, intelligence/policy flip) with reachability gate bridge, boundary proofs, predicate schema with JSON serializer and schema validation, and deterministic golden fixture tests.

Implementation Details

  • Material Risk Change Detector:
    • src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/MaterialRiskChangeDetector.cs - MaterialRiskChangeDetector implementing rules R1 (reachability flip), R2 (VEX status flip), R3 (affected range boundary), R4 (intelligence/policy flip)
    • src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/MaterialRiskChangeResult.cs - MaterialRiskChangeResult model capturing detected material risk changes
  • Reachability Gate Bridge:
    • src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/ReachabilityGateBridge.cs - ReachabilityGateBridge connecting SmartDiff detection with reachability analysis for R1 rule evaluation
  • Delta Verdict Builder:
    • src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Attestation/DeltaVerdictBuilder.cs - DeltaVerdictBuilder building attestation predicates for material risk changes
  • SARIF Output:
    • src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Output/SarifOutputGenerator.cs - SarifOutputGenerator producing SARIF output for SmartDiff findings (rules SDIFF001-004)
  • Configuration:
    • src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/SmartDiffScoringConfig.cs - Scoring configuration for risk change detection thresholds
    • src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/Repositories.cs - Repository interfaces for SmartDiff persistence
  • Persistence:
    • src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresMaterialRiskChangeRepository.cs - PostgreSQL persistence for material risk changes
  • WebService:
    • src/Scanner/StellaOps.Scanner.WebService/Endpoints/SmartDiffEndpoints.cs - SmartDiff REST API endpoints
  • Tests:
    • src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/MaterialRiskChangeDetectorTests.cs - Unit tests for R1-R4 rules
    • src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/ReachabilityGateBridgeTests.cs - Gate bridge tests
    • src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/StateComparisonGoldenTests.cs - Golden fixture determinism tests
    • src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/SarifOutputGeneratorTests.cs - SARIF output tests
    • src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/DeltaVerdictBuilderTests.cs - Verdict builder tests

E2E Test Plan

  • Detect a reachability flip (R1) when a previously unreachable vulnerability becomes reachable and verify the material risk change is captured
  • Detect a VEX status flip (R2) when a VEX statement changes from "not_affected" to "affected" and verify the change is classified correctly
  • Detect an affected range boundary change (R3) when a vulnerability's affected version range expands to include the scanned version
  • Detect an intelligence/policy flip (R4) when external intelligence or policy rules change the risk assessment
  • Verify ReachabilityGateBridge correctly integrates reachability data for R1 rule evaluation
  • Run golden fixture tests and verify deterministic output (byte-for-byte identical for same inputs)