4dc7cf834a
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Console CI / console-ci (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
VEX Proof Bundles / verify-bundles (push) Has been cancelled
- Introduced sample proof bundle configuration files for testing, including `sample-proof-bundle-config.dsse.json`, `sample-proof-bundle.dsse.json`, and `sample-proof-bundle.json`. - Implemented a verification script `test_verify_sample.sh` to validate proof bundles against specified schemas and catalogs. - Updated existing proof bundle configurations with new metadata, including versioning, created timestamps, and justification details. - Enhanced evidence entries with expiration dates and hashes for better integrity checks. - Ensured all new configurations adhere to the defined schema for consistency and reliability in testing.
226 lines
6.7 KiB
JSON
226 lines
6.7 KiB
JSON
{
|
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
"$id": "https://stellaops.local/docs/benchmarks/vex-evidence-playbook.schema.json",
|
|
"title": "StellaOps VEX Proof Bundle",
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": [
|
|
"id",
|
|
"version",
|
|
"created_at",
|
|
"created_by",
|
|
"graph",
|
|
"openvex",
|
|
"justification",
|
|
"entrypoints",
|
|
"evidence",
|
|
"rbac",
|
|
"reevaluation",
|
|
"uncertainty",
|
|
"signatures"
|
|
],
|
|
"properties": {
|
|
"id": {
|
|
"type": "string",
|
|
"description": "Stable proof bundle identifier (URN recommended)."
|
|
},
|
|
"version": {
|
|
"type": "string",
|
|
"description": "Semantic version of the bundle payload schema."
|
|
},
|
|
"created_at": {
|
|
"type": "string",
|
|
"format": "date-time",
|
|
"description": "UTC timestamp when the bundle was produced."
|
|
},
|
|
"created_by": {
|
|
"type": "string",
|
|
"description": "Issuer of the bundle (service, user, or automation identity)."
|
|
},
|
|
"graph": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["hash"],
|
|
"properties": {
|
|
"hash": {
|
|
"$ref": "#/definitions/digest",
|
|
"description": "BLAKE3-256 (preferred) or SHA-256 hash of the reachability graph."
|
|
},
|
|
"dsse": { "$ref": "#/definitions/dsseRef" },
|
|
"revision_id": {
|
|
"type": "string",
|
|
"description": "Optional graph revision identifier or CAS key."
|
|
}
|
|
}
|
|
},
|
|
"openvex": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["path", "statement_id", "canonical_sha256", "canonical_blake3", "serialization"],
|
|
"properties": {
|
|
"path": { "type": "string" },
|
|
"statement_id": { "type": "string" },
|
|
"canonical_sha256": { "$ref": "#/definitions/sha256" },
|
|
"canonical_blake3": { "$ref": "#/definitions/blake3" },
|
|
"serialization": {
|
|
"type": "string",
|
|
"enum": ["canonical-json", "csaf", "cyclonedx"],
|
|
"description": "Serialization strategy for the OpenVEX payload."
|
|
}
|
|
}
|
|
},
|
|
"justification": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["id"],
|
|
"properties": {
|
|
"id": {
|
|
"type": "string",
|
|
"description": "Justification catalog identifier (e.g., VEX1.vulnerable_code_not_present)."
|
|
},
|
|
"dsse": { "$ref": "#/definitions/dsseRef" }
|
|
}
|
|
},
|
|
"entrypoints": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["id", "coverage_percent", "negative_tests", "config_hash", "flags_hash"],
|
|
"properties": {
|
|
"id": { "type": "string" },
|
|
"coverage_percent": {
|
|
"type": "number",
|
|
"minimum": 0,
|
|
"maximum": 100
|
|
},
|
|
"negative_tests": { "type": "boolean" },
|
|
"config_hash": { "$ref": "#/definitions/sha256" },
|
|
"flags_hash": { "$ref": "#/definitions/sha256" },
|
|
"evidence_links": {
|
|
"type": "array",
|
|
"items": { "type": "string" }
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"evidence": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["type", "cas_uri", "hash", "expires_at"],
|
|
"properties": {
|
|
"type": {
|
|
"type": "string",
|
|
"enum": ["graph", "coverage", "runtime_trace", "negative_test", "config", "flags", "sbom", "scan", "policy"]
|
|
},
|
|
"cas_uri": { "type": "string" },
|
|
"hash": { "$ref": "#/definitions/digest" },
|
|
"dsse": { "$ref": "#/definitions/dsseRef" },
|
|
"expires_at": { "type": "string", "format": "date-time" }
|
|
}
|
|
}
|
|
},
|
|
"rbac": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["roles_allowed", "approvals_required"],
|
|
"properties": {
|
|
"roles_allowed": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": { "type": "string" }
|
|
},
|
|
"approvals_required": {
|
|
"type": "integer",
|
|
"minimum": 1
|
|
},
|
|
"enforcement": {
|
|
"type": "string",
|
|
"description": "How RBAC is enforced (policy, signer, or both)."
|
|
}
|
|
}
|
|
},
|
|
"reevaluation": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["on_sbom_change", "on_graph_change", "on_runtime_change"],
|
|
"properties": {
|
|
"on_sbom_change": { "type": "boolean" },
|
|
"on_graph_change": { "type": "boolean" },
|
|
"on_runtime_change": { "type": "boolean" },
|
|
"ttl_days": {
|
|
"type": "integer",
|
|
"minimum": 1,
|
|
"description": "Maximum lifetime before forced reevaluation."
|
|
}
|
|
}
|
|
},
|
|
"uncertainty": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["state", "entropy"],
|
|
"properties": {
|
|
"state": { "type": "string", "enum": ["U0-none", "U1-low", "U2-medium", "U3-high"] },
|
|
"entropy": { "type": "number", "minimum": 0, "maximum": 1 },
|
|
"notes": { "type": "string" }
|
|
}
|
|
},
|
|
"policy": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"decision": { "type": "string" },
|
|
"decision_reason": { "type": "string" },
|
|
"openvex_serialization": { "type": "string" },
|
|
"canonical_encoding": { "type": "string" }
|
|
}
|
|
},
|
|
"signatures": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["type", "key_id", "envelope_digest"],
|
|
"properties": {
|
|
"type": { "type": "string", "enum": ["dsse", "jws"] },
|
|
"key_id": { "type": "string" },
|
|
"sig": { "type": "string" },
|
|
"envelope_digest": { "$ref": "#/definitions/sha256" },
|
|
"rekor_log_id": { "type": "string" },
|
|
"rekor_entry_uuid": { "type": "string" },
|
|
"transparency_checkpoint": { "type": "string" }
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"definitions": {
|
|
"sha256": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[A-Fa-f0-9]{64}$"
|
|
},
|
|
"blake3": {
|
|
"type": "string",
|
|
"pattern": "^blake3:[A-Fa-f0-9]{64}$"
|
|
},
|
|
"digest": {
|
|
"type": "string",
|
|
"pattern": "^(sha256|blake3):[A-Fa-f0-9]{64}$"
|
|
},
|
|
"dsseRef": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": ["path", "sha256"],
|
|
"properties": {
|
|
"path": { "type": "string" },
|
|
"sha256": { "$ref": "#/definitions/sha256" },
|
|
"payload_sha256": { "$ref": "#/definitions/sha256" }
|
|
}
|
|
}
|
|
}
|
|
}
|