stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e716bc6adca8d1a3ac5a24ad491e5fa99e31cf1c
git.stella-ops.org/docs/features/unchecked/attestor/reachability-drift-detection-and-delta-evidence.md

2.7 KiB
Raw Blame History

Reachability Drift Detection and Delta Evidence

Module

Attestor

Status

IMPLEMENTED

Description

Reachability drift predicates tracking new/removed call paths to vulnerable functions with drift analysis metadata, delta summaries between baselines, and reachability status flip tracking between scans.

Implementation Details

  • Reachability Drift Predicate: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/ReachabilityDriftPredicate.cs -- predicate capturing reachability status changes between scans (new paths, removed paths, unchanged paths).
  • Drift Analysis Metadata: Predicates/DriftAnalysisMetadata.cs -- metadata about the drift analysis (baseline scan ID, current scan ID, timestamp, tool). Also in Statements/DriftAnalysisMetadata.cs.
  • Drift Image Reference: Predicates/DriftImageReference.cs -- image reference for the baseline and current scan.
  • Drift Predicate Summary: Predicates/DriftPredicateSummary.cs -- summary of drift counts (new paths, removed paths, flipped statuses).
  • Drift Scanner Info: Predicates/DriftScannerInfo.cs -- scanner that produced the drift data. Also in Statements/DriftScannerInfo.cs.
  • Drifted Sink Predicate Summary: Predicates/DriftedSinkPredicateSummary.cs -- summary of drifted vulnerable sinks.
  • Reachability Drift Payload: Statements/ReachabilityDriftPayload.cs -- in-toto payload for drift data.
  • Reachability Drift Statement: Statements/ReachabilityDriftStatement.cs -- in-toto statement wrapping the drift payload.
  • Drift Summary: Statements/DriftSummary.cs -- statement-level drift summary. DriftedSinkSummary.cs -- per-sink drift summary.
  • Change Trace: ChangeTrace/ChangeTraceAttestationService.cs (with .Helpers, .Mapping) -- creates change trace attestations for drift events.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/ReachabilityDriftTests.cs

E2E Test Plan

  • Create a ReachabilityDriftPredicate with 2 new paths, 1 removed path, and verify the drift data is correct
  • Verify DriftAnalysisMetadata captures baseline and current scan IDs, timestamps, and tool info
  • Verify DriftPredicateSummary correctly counts new, removed, and unchanged paths
  • Detect a reachability status flip (Unreachable -> Reachable) between scans and verify it is flagged in the drift
  • Build a ReachabilityDriftStatement and sign it; verify the DSSE envelope contains the drift payload
  • Create drift data for multiple sinks and verify DriftedSinkPredicateSummary tracks per-sink drift
  • Create a ChangeTraceAttestationService attestation for the drift event and verify it links to baseline and current evidence
  • Verify DriftImageReference correctly identifies the container image versions being compared