stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
d0f2cc3b2cf0dfa4b1ea69737ad5ebd02089fbc6
git.stella-ops.org/docs/features/checked/attestor/binary-level-sca-and-provenance.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.8 KiB
Raw Blame History

Binary-Level SCA and Provenance

Module

Attestor

Status

VERIFIED

Description

Binary fingerprint evidence generation, binary identity and vulnerability matching info, and native binary hardening analysis for PE, ELF, and Mach-O formats.

Implementation Details

  • Binary Fingerprint Evidence: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs (with .Helpers) -- generates attestable evidence from binary SCA results.
  • Binary Identity: __Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryIdentityInfo.cs -- captures binary identity: file path, SHA-256 digest, binary format (PE/ELF/Mach-O), architecture, and version info.
  • Vulnerability Matching: BinaryVulnMatchInfo.cs -- links binary identity to CVE matches with match type and confidence score.
  • Binary Fingerprint Predicate: BinaryFingerprintEvidencePredicate.cs -- attestable predicate wrapping binary SCA results.
  • Micro-Witness Evidence: MicroWitnessBinaryRef.cs, MicroWitnessCveRef.cs, MicroWitnessFunctionEvidence.cs, MicroWitnessSbomRef.cs -- fine-grained evidence linking binary analysis to SBOM components and CVEs.
  • Binary Diff for Provenance: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffSectionModels.cs -- section-level diff models for PE (.text, .rdata) and ELF (.text, .rodata) sections.
  • SLSA Provenance Integration: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.cs -- parses SLSA provenance predicates that include build materials (binaries).
  • Note: Actual binary hardening analysis (DEP, ASLR, stack canaries, etc.) lives in src/Scanner/ and src/BinaryIndex/.

E2E Test Plan

  • Generate binary SCA evidence for a PE binary and verify BinaryIdentityInfo captures format as PE with correct architecture
  • Generate evidence for an ELF binary and verify format detection
  • Create BinaryVulnMatchInfo linking a binary identity to a CVE and verify match details (CVE ID, confidence, match type)
  • Create micro-witness evidence with MicroWitnessSbomRef linking binary analysis results to SBOM component entries
  • Generate a binary diff between two binary versions and verify section-level changes are captured in BinaryDiffSectionModels
  • Verify binary fingerprint evidence integrates with SLSA provenance by including binary digests in build materials
  • Sign binary SCA evidence as a DSSE attestation and verify the signature covers the complete BinaryFingerprintEvidencePredicate

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001