stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
df941367273bd26da6f89cca11c0bd122536ab45
git.stella-ops.org/docs/implplan/SPRINT_3800_SUMMARY.md
StellaOps Bot df94136727 feat: Implement distro-native version comparison for RPM, Debian, and Alpine packages 
- Add RpmVersionComparer for RPM version comparison with epoch, version, and release handling.
- Introduce DebianVersion for parsing Debian EVR (Epoch:Version-Release) strings.
- Create ApkVersion for parsing Alpine APK version strings with suffix support.
- Define IVersionComparator interface for version comparison with proof-line generation.
- Implement VersionComparisonResult struct to encapsulate comparison results and proof lines.
- Add tests for Debian and RPM version comparers to ensure correct functionality and edge case handling.
- Create project files for the version comparison library and its tests.
2025-12-22 09:49:53 +02:00

121 lines
5.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Sprint Epic 3800 · Layered Binary + Call-Stack Reachability
## Overview
This epic implements the two-stage reachability map as described in the product advisory "Layered binary + callstack reachability" (20-Dec-2025). It extends Stella Ops' reachability analysis with:
1. **Deeper binary analysis** - Disassembly-based call edge extraction
2. **CVE→Symbol mapping** - Connect vulnerabilities to specific binary functions
3. **Attestable slices** - Minimal proof units for triage decisions
4. **Query & replay APIs** - On-demand reachability queries with verification
5. **VEX automation** - Auto-generate `code_not_reachable` justifications
6. **Runtime traces** - eBPF/ETW-based observed path evidence
7. **OCI storage & CLI** - Artifact management and command-line tools
## Sprint Breakdown
| Sprint | Topic | Tasks | Status |
|--------|-------|-------|--------|
| [3800.0001.0001](SPRINT_3800_0001_0001_binary_call_edge_enhancement.md) | Binary Call-Edge Enhancement | 8 | TODO |
| [3810.0001.0001](SPRINT_3810_0001_0001_cve_symbol_mapping_slice_format.md) | CVE→Symbol Mapping & Slice Format | 7 | TODO |
| [3820.0001.0001](SPRINT_3820_0001_0001_slice_query_replay_apis.md) | Slice Query & Replay APIs | 7 | TODO |
| [3830.0001.0001](SPRINT_3830_0001_0001_vex_integration_policy_binding.md) | VEX Integration & Policy Binding | 6 | TODO |
| [3840.0001.0001](SPRINT_3840_0001_0001_runtime_trace_merge.md) | Runtime Trace Merge | 7 | TODO |
| [3850.0001.0001](SPRINT_3850_0001_0001_oci_storage_cli.md) | OCI Storage & CLI | 8 | TODO |
**Total Tasks**: 43
**Status**: TODO (0/43 complete)
## Recommended Execution Order
```
Sprint 3810 (CVE→Symbol + Slices) ─────────────────┐
├──► Sprint 3820 (Query APIs) ──► Sprint 3830 (VEX)
Sprint 3800 (Binary Enhancement) ──────────────────┘
Sprint 3850 (OCI + CLI) ─────────────────────────────► (parallel with 3830)
Sprint 3840 (Runtime Traces) ────────────────────────► (optional, parallel with 3830-3850)
```
## Key Deliverables
### Schemas & Contracts
| Artifact | Location | Sprint |
|----------|----------|--------|
| Slice predicate schema | `docs/schemas/stellaops-slice.v1.schema.json` | 3810 |
| Slice OCI media type | `application/vnd.stellaops.slice.v1+json` | 3850 |
| Runtime event schema | `docs/schemas/runtime-call-event.schema.json` | 3840 |
### APIs
| Endpoint | Method | Description | Sprint |
|----------|--------|-------------|--------|
| `/api/slices/query` | POST | Query reachability for CVE/symbols | 3820 |
| `/api/slices/{digest}` | GET | Retrieve attested slice | 3820 |
| `/api/slices/replay` | POST | Verify slice reproducibility | 3820 |
### CLI Commands
| Command | Description | Sprint |
|---------|-------------|--------|
| `stella binary submit` | Submit binary graph | 3850 |
| `stella binary info` | Display graph info | 3850 |
| `stella binary symbols` | List symbols | 3850 |
| `stella binary verify` | Verify attestation | 3850 |
### Documentation
| Document | Location | Sprint |
|----------|----------|--------|
| Slice schema specification | `docs/reachability/slice-schema.md` | 3810 |
| CVE→Symbol mapping guide | `docs/reachability/cve-symbol-mapping.md` | 3810 |
| Replay verification guide | `docs/reachability/replay-verification.md` | 3820 |
## Dependencies
### External Libraries
| Library | Purpose | Sprint |
|---------|---------|--------|
| iced-x86 | x86/x64 disassembly | 3800 |
| Capstone | ARM64 disassembly | 3800 |
| libbpf/cilium-ebpf | eBPF collector | 3840 |
### Cross-Module Dependencies
| From | To | Integration Point |
|------|-----|-------------------|
| Scanner | Concelier | Advisory feed for CVE→symbol mapping |
| Scanner | Attestor | DSSE signing for slices |
| Scanner | Excititor | Slice verdict consumption |
| Policy | Scanner | Unknowns budget enforcement |
## Risk Register
| Risk | Impact | Mitigation | Owner |
|------|--------|------------|-------|
| Disassembly performance | High | Cap at 5s per 10MB binary | Scanner Team |
| Missing CVE→symbol mappings | Medium | Fallback to package-level | Scanner Team |
| eBPF kernel compatibility | Medium | Require 5.8+, provide fallback | Platform Team |
| OCI registry compatibility | Low | Test against major registries | Scanner Team |
## Success Metrics
1. **Coverage**: >80% of binary CVEs have symbol-level mapping
2. **Performance**: Slice query <2s for typical graphs
3. **Accuracy**: Replay match rate >99.9%
4. **Adoption**: CLI commands used in >50% of offline deployments
## Related Documentation
- [Product Advisory](../product-advisories/archived/2025-12-22-binary-reachability/20-Dec-2025%20-%20Layered%20binary%20+%20callstack%20reachability.md)
- [Binary Reachability Schema](../reachability/binary-reachability-schema.md)
- [RichGraph Contract](../contracts/richgraph-v1.md)
- [Function-Level Evidence](../reachability/function-level-evidence.md)
---
_Created: 2025-12-22. Owner: Scanner Guild._
Reference in New Issue View Git Blame Copy Permalink