51 lines
4.0 KiB
Markdown
51 lines
4.0 KiB
Markdown
# VEX-First Gating Service (Pre-Triage Filter)
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Pre-triage VEX gating service that filters vulnerability findings before reaching triage queue. Gate decisions (Pass/Warn/Block) with 4 default rules (block-exploitable-reachable, warn-high-not-reachable, pass-vendor-not-affected, pass-backport-confirmed). Includes caching observation provider, performance benchmarks, scan pipeline stage integration, bypass for emergency scans, and audit logging.
|
|
|
|
## Implementation Details
|
|
- **VEX Gate Service**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateService.cs` - `VexGateService` pre-triage filter evaluating VEX gate rules and producing Pass/Warn/Block decisions
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Gate/IVexGateService.cs` - Interface for VEX gate operations
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateResult.cs` - `VexGateResult` capturing gate decision with rule match details
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateDecision.cs` - `VexGateDecision` enum (Pass, Warn, Block)
|
|
- **Policy Evaluation**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGatePolicyEvaluator.cs` - `VexGatePolicyEvaluator` evaluating the 4 default rules against findings
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGatePolicy.cs` - `VexGatePolicy` defining gate rules (block-exploitable-reachable, warn-high-not-reachable, pass-vendor-not-affected, pass-backport-confirmed)
|
|
- **Caching Observation Provider**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Gate/CachingVexObservationProvider.cs` - `CachingVexObservationProvider` caching VEX observation lookups for performance
|
|
- **Configuration**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateOptions.cs` - `VexGateOptions` configuration including emergency bypass settings
|
|
- **Excititor Adapter**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateExcititorAdapter.cs` - Adapter integrating with the Excititor VEX feed service
|
|
- **Audit Logging**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateAuditLogger.cs` - `VexGateAuditLogger` logging all gate decisions for audit trail
|
|
- **Pipeline Integration**:
|
|
- `src/Scanner/StellaOps.Scanner.Worker/Processing/VexGateStageExecutor.cs` - `VexGateStageExecutor` scan pipeline stage executing VEX gate evaluation
|
|
- **WebService**:
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Controllers/VexGateController.cs` - `VexGateController` REST API for gate queries and overrides
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Services/VexGateQueryService.cs` - Service for querying gate decisions
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Contracts/VexGateContracts.cs` - API contracts
|
|
- **DI Registration**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateServiceCollectionExtensions.cs` - DI registration for gate services
|
|
- **Tests**:
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Gate.Tests/VexGateServiceTests.cs` - VEX gate service unit tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Gate.Tests/VexGatePolicyEvaluatorTests.cs` - Policy evaluator tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/VexGateEndpointsTests.cs` - API endpoint tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/VexGateStageExecutorTests.cs` - Pipeline stage tests
|
|
|
|
## E2E Test Plan
|
|
- [ ] Submit a finding with exploitable-reachable status and verify the gate blocks it (block-exploitable-reachable rule)
|
|
- [ ] Submit a high-severity finding that is not reachable and verify the gate warns (warn-high-not-reachable rule)
|
|
- [ ] Submit a finding with vendor VEX "not_affected" and verify the gate passes it (pass-vendor-not-affected rule)
|
|
- [ ] Submit a finding with confirmed backport and verify the gate passes it (pass-backport-confirmed rule)
|
|
- [ ] Verify emergency scan bypass correctly skips gate evaluation when configured
|
|
- [ ] Verify `CachingVexObservationProvider` caches VEX lookups and performance is within benchmarked thresholds
|
|
- [ ] Verify audit logging captures all gate decisions with rule match details and timestamps
|