stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/dsse-wrapped-reach-maps.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.5 KiB
Raw Blame History

DSSE-Wrapped Reach-Maps

Module

Attestor

Status

VERIFIED

Description

Rich graphs and suppression witnesses exist with signing infrastructure available, but a specific "signed reach-map artifact" as a standalone DSSE-wrapped output is not distinctly implemented as described.

What's Implemented

  • Reachability Witness Payload: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs (with .Path) -- reachability witness data with call paths.
  • Witness Path Nodes: Statements/WitnessCallPathNode.cs, WitnessPathNode.cs -- call path node models.
  • Micro Witness Evidence: Predicates/MicroWitnessFunctionEvidence.cs, MicroWitnessBinaryRef.cs, MicroWitnessCveRef.cs, MicroWitnessSbomRef.cs -- function-level reachability evidence.
  • DSSE Signing: Signing/ProofChainSigner.cs, DsseEnvelope.cs -- available signing infrastructure.
  • Proof Graph: Graph/InMemoryProofGraphService.cs (with .Mutation, .Queries, .Subgraph) -- graph model for proof evidence.

What's Missing

  • Standalone reach-map artifact: No dedicated reach-map document type that captures the full reachability graph (all functions, edges, and reachability status) as a single DSSE-wrapped artifact.
  • Reach-map predicate type: No registered predicate type URI (e.g., https://stellaops.org/attestation/reachmap/v1) for reach-map attestations.
  • Full graph serialization: Reachability evidence is captured per-CVE (micro-witness) not as a complete call graph that can be independently verified.
  • Reach-map versioning: No mechanism to version reach-maps and detect changes between scans.
  • Reach-map OCI attachment: No pipeline to attach DSSE-signed reach-maps to OCI images as referrers.

Implementation Plan

  • Define a reach-map predicate type with full call graph serialization
  • Create a ReachMapBuilder that aggregates all micro-witness data into a single reach-map document
  • Implement DSSE signing for reach-map documents using existing ProofChainSigner
  • Add reach-map versioning with diff detection between scans
  • Wire OCI attachment via existing OrasAttestationAttacher
  • Add tests for reach-map building, signing, and versioning

Related Documentation

  • Source: See feature catalog

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001