43 lines
3.5 KiB
Markdown
43 lines
3.5 KiB
Markdown
# Smart-Diff Material Risk Change Detection (R1-R4 Rules, Reachability Integration)
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
MaterialRiskChangeDetector implementing rules R1-R4 (Reachability flip, VEX status flip, affected range boundary, intelligence/policy flip) with reachability gate bridge, boundary proofs, predicate schema with JSON serializer and schema validation, and deterministic golden fixture tests.
|
|
|
|
## Implementation Details
|
|
- **Material Risk Change Detector**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/MaterialRiskChangeDetector.cs` - `MaterialRiskChangeDetector` implementing rules R1 (reachability flip), R2 (VEX status flip), R3 (affected range boundary), R4 (intelligence/policy flip)
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/MaterialRiskChangeResult.cs` - `MaterialRiskChangeResult` model capturing detected material risk changes
|
|
- **Reachability Gate Bridge**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/ReachabilityGateBridge.cs` - `ReachabilityGateBridge` connecting SmartDiff detection with reachability analysis for R1 rule evaluation
|
|
- **Delta Verdict Builder**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Attestation/DeltaVerdictBuilder.cs` - `DeltaVerdictBuilder` building attestation predicates for material risk changes
|
|
- **SARIF Output**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Output/SarifOutputGenerator.cs` - `SarifOutputGenerator` producing SARIF output for SmartDiff findings (rules SDIFF001-004)
|
|
- **Configuration**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/SmartDiffScoringConfig.cs` - Scoring configuration for risk change detection thresholds
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/Repositories.cs` - Repository interfaces for SmartDiff persistence
|
|
- **Persistence**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresMaterialRiskChangeRepository.cs` - PostgreSQL persistence for material risk changes
|
|
- **WebService**:
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SmartDiffEndpoints.cs` - SmartDiff REST API endpoints
|
|
- **Tests**:
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/MaterialRiskChangeDetectorTests.cs` - Unit tests for R1-R4 rules
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/ReachabilityGateBridgeTests.cs` - Gate bridge tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/StateComparisonGoldenTests.cs` - Golden fixture determinism tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/SarifOutputGeneratorTests.cs` - SARIF output tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/DeltaVerdictBuilderTests.cs` - Verdict builder tests
|
|
|
|
## E2E Test Plan
|
|
- [ ] Detect a reachability flip (R1) when a previously unreachable vulnerability becomes reachable and verify the material risk change is captured
|
|
- [ ] Detect a VEX status flip (R2) when a VEX statement changes from "not_affected" to "affected" and verify the change is classified correctly
|
|
- [ ] Detect an affected range boundary change (R3) when a vulnerability's affected version range expands to include the scanned version
|
|
- [ ] Detect an intelligence/policy flip (R4) when external intelligence or policy rules change the risk assessment
|
|
- [ ] Verify `ReachabilityGateBridge` correctly integrates reachability data for R1 rule evaluation
|
|
- [ ] Run golden fixture tests and verify deterministic output (byte-for-byte identical for same inputs)
|