stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/vex-auto-generation-and-auto-downgrade.md

2.3 KiB
Raw Blame History

VEX Auto-Generation and Auto-Downgrade (SmartDiff Candidates, Runtime Evidence)

Module

Scanner

Status

IMPLEMENTED

Description

Emits VEX candidates (not_affected/under_investigation) from SmartDiff when vulnerable APIs absent in current version. Runtime results can support/contradict static analysis, enabling auto-downgrade of VEX posture based on runtime evidence.

Implementation Details

  • VEX Candidate Emitter:
    • src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexCandidateEmitter.cs - VexCandidateEmitter emitting VEX candidates (not_affected, under_investigation) when SmartDiff detects that vulnerable APIs are absent in the current version
    • src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexCandidateModels.cs - VEX candidate data models
    • src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexEvidence.cs - VexEvidence model linking SmartDiff evidence to VEX candidates
  • Persistence:
    • src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresVexCandidateStore.cs - PostgresVexCandidateStore persisting VEX candidates for review and approval
  • Delta Signature VEX:
    • src/Scanner/__Libraries/StellaOps.Scanner.Evidence/DeltaSigVexEmitter.cs - DeltaSigVexEmitter emitting VEX statements based on delta signature analysis
  • API:
    • src/Scanner/StellaOps.Scanner.WebService/Endpoints/SmartDiffEndpoints.cs - SmartDiff endpoints including VEX candidate retrieval
  • Tests:
    • src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/VexCandidateEmitterTests.cs - VEX candidate emission tests

E2E Test Plan

  • Trigger SmartDiff analysis where vulnerable APIs are absent in the current version and verify a "not_affected" VEX candidate is emitted
  • Verify "under_investigation" VEX candidates are emitted when SmartDiff cannot conclusively determine API absence
  • Verify runtime evidence contradicting a "not_affected" VEX candidate triggers auto-downgrade to "under_investigation"
  • Verify VEX candidates are persisted in PostgreSQL for review and approval workflow
  • Verify DeltaSigVexEmitter emits VEX statements based on delta signature comparison between versions
  • Verify auto-generated VEX candidates include evidence links back to the SmartDiff analysis that produced them