stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
f9d652da32a8680e86ea56397a1cc45ba40fbc46
git.stella-ops.org/docs/features/checked/attestor/smart-diff-system.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

3.1 KiB
Raw Blame History

Smart-Diff System (Semantic Security Delta, Binary Diff Predicates)

Module

Attestor

Status

VERIFIED

Description

Smart-diff computing semantic security deltas between SBOM versions with material risk change detection, reachability-aware gating, delta verdict generation, SARIF output, and CLI commands. Binary diff as signed predicates with schema validation, DSSE verification, normalization, and finding extraction.

Implementation Details

  • SBOM Delta Predicate: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/SbomDeltaPredicate.cs -- SBOM-level semantic delta.
  • SBOM Delta Component: Predicates/SbomDeltaComponent.cs -- component-level change tracking.
  • Delta Verdict Predicate: Predicates/DeltaVerdictPredicate.cs (with .Budget) -- verdict delta with budget integration.
  • Binary Diff Predicate Builder: __Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs (with .Build) -- builds binary diff predicates. IBinaryDiffPredicateBuilder.cs -- interface.
  • Binary Diff Serializer: BinaryDiff/BinaryDiffPredicateSerializer.cs (with .Normalize) -- serializes with normalization. IBinaryDiffPredicateSerializer.cs -- interface.
  • Binary Diff Finding: BinaryDiff/BinaryDiffFinding.cs -- individual finding from binary diff analysis.
  • Binary Diff Section Models: BinaryDiff/BinaryDiffSectionModels.cs -- section-level diff models.
  • Binary Diff Schema: BinaryDiff/BinaryDiffSchema.SchemaJson.cs -- embedded JSON schema. BinaryDiffSchemaValidationResult.cs -- validation result.
  • Binary Diff DSSE Verifier: BinaryDiff/BinaryDiffDsseVerifier.cs (with .Helpers) -- DSSE verification. IBinaryDiffDsseVerifier.cs -- interface.
  • Change Trace: __Libraries/StellaOps.Attestor.ProofChain/ChangeTrace/ChangeTraceAttestationService.cs -- change trace attestations for smart-diff events.
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiffTests.cs, __Tests/StellaOps.Attestor.ProofChain.Tests/SbomDeltaTests.cs

E2E Test Plan

  • Compute a semantic SBOM delta between two versions and verify SbomDeltaPredicate captures added/removed/changed components
  • Build a binary diff predicate via BinaryDiffPredicateBuilder and verify findings are extracted
  • Validate the binary diff against BinaryDiffSchema and verify schema compliance
  • Sign the binary diff into a DSSE envelope and verify via BinaryDiffDsseVerifier
  • Normalize a binary diff via BinaryDiffPredicateSerializer.Normalize and verify deterministic output
  • Generate a delta verdict from the smart-diff and verify material risk changes are flagged
  • Create a change trace attestation for the smart-diff event and verify it links to before/after versions
  • Verify BinaryDiffFinding captures function name, offset, and change type for each diff finding

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001