236 lines
4.8 KiB
Markdown
236 lines
4.8 KiB
Markdown
# Proof Bundle Specification
|
|
|
|
## Overview
|
|
|
|
A **Proof Bundle** aggregates all evidence supporting an exploit path assessment. It provides a complete, self-contained package for audit, compliance, and decision-making.
|
|
|
|
## Bundle Contents
|
|
|
|
### 1. Reach Subgraph
|
|
|
|
The reachability subgraph shows the call path from entry point to vulnerable symbol.
|
|
|
|
```json
|
|
{
|
|
"nodes": [
|
|
{
|
|
"id": "node-001",
|
|
"label": "handleRequest",
|
|
"type": "entryPoint",
|
|
"depth": 0,
|
|
"isVulnerable": false,
|
|
"isEntryPoint": true
|
|
},
|
|
{
|
|
"id": "node-002",
|
|
"label": "renderTemplate",
|
|
"type": "function",
|
|
"depth": 1,
|
|
"isVulnerable": false,
|
|
"isEntryPoint": false
|
|
},
|
|
{
|
|
"id": "node-003",
|
|
"label": "_.template",
|
|
"type": "vulnerableSymbol",
|
|
"depth": 2,
|
|
"isVulnerable": true,
|
|
"isEntryPoint": false
|
|
}
|
|
],
|
|
"edges": [
|
|
{
|
|
"sourceId": "node-001",
|
|
"targetId": "node-002",
|
|
"label": "calls",
|
|
"weight": 0.95
|
|
},
|
|
{
|
|
"sourceId": "node-002",
|
|
"targetId": "node-003",
|
|
"label": "calls",
|
|
"weight": 0.90
|
|
}
|
|
],
|
|
"entryPointId": "node-001",
|
|
"vulnerableSymbolId": "node-003",
|
|
"totalNodes": 3,
|
|
"totalEdges": 2
|
|
}
|
|
```
|
|
|
|
### 2. Symbol Map
|
|
|
|
Maps symbol identifiers to source code locations.
|
|
|
|
```json
|
|
{
|
|
"symbols": [
|
|
{
|
|
"id": "node-001",
|
|
"fullyQualifiedName": "src.api.handleRequest",
|
|
"sourceFile": "src/api/handler.js",
|
|
"lineNumber": 42,
|
|
"language": "javascript",
|
|
"signature": "function handleRequest(req, res)"
|
|
},
|
|
{
|
|
"id": "node-003",
|
|
"fullyQualifiedName": "lodash.template",
|
|
"sourceFile": "node_modules/lodash/template.js",
|
|
"lineNumber": 156,
|
|
"language": "javascript",
|
|
"signature": "function template(string, options)"
|
|
}
|
|
],
|
|
"sourceFiles": [
|
|
"src/api/handler.js",
|
|
"node_modules/lodash/template.js"
|
|
]
|
|
}
|
|
```
|
|
|
|
### 3. VEX Claims
|
|
|
|
VEX statements from various sources with trust scores.
|
|
|
|
```json
|
|
{
|
|
"vexClaims": [
|
|
{
|
|
"cveId": "CVE-2024-1234",
|
|
"status": "not_affected",
|
|
"justification": "vulnerable_code_not_in_execute_path",
|
|
"source": "vendor:lodash",
|
|
"trustScore": 0.95,
|
|
"timestamp": "2024-12-22T10:00:00Z",
|
|
"signatureValid": true
|
|
},
|
|
{
|
|
"cveId": "CVE-2024-1234",
|
|
"status": "affected",
|
|
"justification": null,
|
|
"source": "nvd",
|
|
"trustScore": 0.80,
|
|
"timestamp": "2024-12-20T08:00:00Z",
|
|
"signatureValid": false
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
### 4. Trust Scores
|
|
|
|
Aggregated confidence metrics.
|
|
|
|
```json
|
|
{
|
|
"trustScores": {
|
|
"reachabilityConfidence": 0.90,
|
|
"vexConfidence": 0.85,
|
|
"overallConfidence": 0.875,
|
|
"evidenceCount": 5
|
|
}
|
|
}
|
|
```
|
|
|
|
## API Endpoint
|
|
|
|
### GET /triage/paths/{pathId}/proof
|
|
|
|
Returns the complete proof bundle.
|
|
|
|
**Response:**
|
|
```json
|
|
{
|
|
"pathId": "path:abc123...",
|
|
"generatedAt": "2024-12-22T12:00:00Z",
|
|
"reachSubgraph": { ... },
|
|
"symbolMap": { ... },
|
|
"vexClaims": [ ... ],
|
|
"trustScores": { ... },
|
|
"bundleDigest": "sha256:def456..."
|
|
}
|
|
```
|
|
|
|
### GET /triage/paths/{pathId}/proof/export
|
|
|
|
Returns proof bundle as downloadable JSON file.
|
|
|
|
## Bundle Integrity
|
|
|
|
Each bundle includes a digest for integrity verification:
|
|
|
|
```
|
|
bundleDigest = SHA256(canonical_json(bundle_without_digest))
|
|
```
|
|
|
|
This allows:
|
|
- Tamper detection
|
|
- Audit trail verification
|
|
- Reproducible exports
|
|
|
|
## Visualization
|
|
|
|
### Reach Graph Rendering
|
|
|
|
Use Cytoscape.js or similar for interactive visualization:
|
|
- Nodes colored by type (entry point, intermediate, vulnerable)
|
|
- Edge width indicates confidence weight
|
|
- Collapsible for large graphs
|
|
|
|
### Symbol Navigation
|
|
|
|
Click-through from symbols to source code:
|
|
- IDE integration (VS Code, JetBrains)
|
|
- GitHub/GitLab links
|
|
- Line number highlighting
|
|
|
|
### VEX Claim Comparison
|
|
|
|
Side-by-side view of conflicting VEX statements:
|
|
- Trust score comparison
|
|
- Timestamp ordering
|
|
- Signature verification badges
|
|
|
|
## Use Cases
|
|
|
|
### Exception Creation
|
|
|
|
When creating an exception, attach proof bundle:
|
|
```yaml
|
|
exception:
|
|
pathId: "path:abc123..."
|
|
proofBundleDigest: "sha256:def456..."
|
|
evidence:
|
|
- type: proof-bundle
|
|
reference: "/triage/paths/path:abc123.../proof"
|
|
```
|
|
|
|
### Compliance Audit
|
|
|
|
Export proof bundles for compliance documentation:
|
|
1. Query all active exceptions
|
|
2. Export proof bundle for each
|
|
3. Generate PDF report with embedded evidence
|
|
|
|
### Dispute Resolution
|
|
|
|
When VEX claims conflict:
|
|
1. View all claims in proof bundle
|
|
2. Compare trust scores and timestamps
|
|
3. Document resolution rationale
|
|
|
|
## Schema Validation
|
|
|
|
Proof bundles must validate against JSON Schema:
|
|
```
|
|
$id: https://stellaops.io/schemas/proof-bundle/v1
|
|
```
|
|
|
|
## Related Documentation
|
|
|
|
- [Exploit Path Inbox](./exploit-path-inbox.md)
|
|
- [VEX Trust Scoring](../excititor/scoring.md)
|
|
- [Reachability Analysis](../scanner/operations/entrypoint.md)
|