stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/suppression-witness-proof-model.md

2.7 KiB
Raw Blame History

Suppression Witness Proof Model (DSSE-Signable Not-Affected Evidence)

Module

Scanner

Status

IMPLEMENTED

Description

A DSSE-signable proof model documenting why a vulnerability is NOT exploitable (unreachable code, linker GC, feature flag off, patched symbol, gate blocked, etc.). Complements PathWitness which documents why code IS reachable. Includes 10 suppression types and content-addressed witness IDs.

Implementation Details

  • Suppression Witness Model:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitness.cs - SuppressionWitness model with 10 suppression types (unreachable code, linker GC, feature flag off, patched symbol, gate blocked, etc.) and content-addressed witness IDs
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitnessSchema.cs - JSON schema definition for suppression witness validation
  • Builder:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitnessBuilder.cs - SuppressionWitnessBuilder constructing suppression witnesses with evidence chains and suppression type classification
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ISuppressionWitnessBuilder.cs - Interface for suppression witness construction
  • DSSE Signing:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionDsseSigner.cs - SuppressionDsseSigner signing suppression witnesses using DSSE envelopes
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ISuppressionDsseSigner.cs - Interface for suppression DSSE signing
  • Content-Addressed IDs:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ClaimIdGenerator.cs - ClaimIdGenerator generating deterministic, content-addressed witness IDs
  • DI Registration:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitnessServiceCollectionExtensions.cs - DI registration for suppression witness services

E2E Test Plan

  • Create a suppression witness for an unreachable code path and verify the witness includes the suppression type "UnreachableCode" with evidence
  • Create a suppression witness for linker GC (dead code elimination) and verify it documents the eliminated symbols
  • Sign a suppression witness with DSSE and verify the envelope validates against the suppression witness schema
  • Verify content-addressed witness IDs are deterministic (same evidence produces identical IDs)
  • Verify suppression witnesses complement PathWitnesses by providing the inverse proof (not-affected vs. affected)
  • Verify all 10 suppression types can be constructed and signed correctly