4.9 KiB
Here’s a simple, practical way to make release gates that auto‑decide if a build is “routine” or “risky” by comparing the semantic delta across SBOMs, VEX data, and dependency graphs—so product managers can approve (or defer) with evidence, not guesswork.
What this means (quick background)
- SBOM: a bill of materials for your build (what components you ship).
- VEX: vendor statements about whether known CVEs actually affect a product/version.
- Dependency graph: how components link together at build/runtime.
- Semantic delta: not just “files changed,” but “risk‑relevant meaning changed” (e.g., new reachable vuln path, new privileged capability, downgraded VEX confidence).
The gate’s core signal (one line)
Risk Verdict = f(ΔSBOM, ΔReachability, ΔVEX, ΔConfig/Capabilities, ΔExploitability) → Routine | Review | Block
Minimal data you need per release
- SBOM (CycloneDX/SPDX) for previous vs current release.
- Reachability subgraph: which vulnerable symbols/paths are actually callable (source, package, binary, or eBPF/runtime).
- VEX claims merged from vendors/distros/internal (with trust scores).
- Policy knobs: env tier (prod vs dev), allowed unknowns, max risk budget, critical assets list.
- Exploit context: EPSS/CISA KEV or your internal exploit sighting, if available.
How to compute the semantic delta (fast path)
-
Component delta: new/removed/updated packages → tag each change with severity (critical/security‑relevant vs cosmetic).
-
Vulnerability delta:
- New CVEs introduced?
- Old CVEs now mitigated (patch/backport) or declared not‑affected via VEX?
- Any VEX status regressions (e.g., “not‑affected” → “under‑investigation”)?
-
Reachability delta:
- Any new call‑paths to vulnerable functions?
- Any risk removed (path eliminated via config/feature‑flag/off by default)?
-
Config/capabilities delta:
- New container perms (NET_ADMIN, SYS_ADMIN), new open ports, new outbound calls.
- New data flows to sensitive stores.
-
Exploitability delta:
- EPSS/KEV jumps; active exploitation signals.
A tiny, useful scoring rubric (defaults you can ship)
-
Start at 0. Add:
- +6 if any reachable critical vuln (no valid VEX “not‑affected”).
- +4 if any reachable high vuln.
- +3 if new sensitive capability added (e.g., NET_ADMIN) or new public port opened.
- +2 if VEX status regressed (NA→U/I or Affected).
- +1 per unknown package origin or unsigned artifact (cap at +5).
-
Subtract:
- −3 per proven mitigation (valid VEX NA with trusted source + reachability proof).
- −2 if vulnerable path is demonstrably gated off in target env (feature flag off + policy evidence).
-
Verdict:
- 0–3 → Routine (auto‑approve)
- 4–7 → Review (PM/Eng sign‑off)
- ≥8 → Block (require remediation/exception)
(Tune thresholds per env: e.g., prod stricter than staging.)
What PMs see (clean UI)
-
Badge: Routine / Review / Block.
-
Why (3–5 bullets):
- “Added
libpng1.6.43 (new), CVE‑XXXX reachable viaDecodePng()” - “Vendor VEX for
libsslsays not‑affected (function not built)” - “Container gained
CAP_NET_RAW”
- “Added
-
Evidence buttons:
- “Show reachability slice” (mini graph)
- “Show VEX sources + trust”
- “Show SBOM diff”
-
Call to action:
- “Auto‑remediate to 1.6.44” / “Mark exception” / “Open fix PR”
Exception workflow (auditable)
- Exception must include: scope, expiry, compensating controls, owner, and linked evidence (reachability/VEX).
- Gate re‑evaluates each release; expired exceptions auto‑fail the gate.
How to wire it into CI/CD (quick recipe)
- Generate SBOM + reachability slice for
prevandcurr. - Merge VEX from vendor/distro/internal with trust scoring.
- Run Delta Evaluator → score + verdict + evidence bundle (JSON + attestation).
- Gate policy checks score vs environment thresholds.
- Publish an OCI‑attached attestation (DSSE/in‑toto) so auditors can replay: same inputs → same verdict.
Starter policy you can copy
- Prod: block on any reachable Critical; review on any reachable High; unknowns ≤ 2; no new privileged caps without exception.
- Pre‑prod: review on reachable High/Critical; unknowns ≤ 5.
- Dev: allow but flag; collect evidence.
Why this helps immediately
- PMs get evidence‑backed green/yellow/red, not CVE walls.
- Engineers get actionable deltas (what changed that matters).
- Auditors get replayable proofs (deterministic verdicts + inputs).
If you want, I can turn this into a ready‑to‑drop spec for Stella Ops (modules, JSON schemas, attestation format, and a tiny React panel mock) so your team can implement the gate this sprint.