stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/reachability-aware-vulnerability-prioritization.md

2.8 KiB
Raw Blame History

Reachability-Aware Vulnerability Prioritization (Competitive Differentiator)

Module

Attestor

Status

IMPLEMENTED

Description

Reachability witness payload with path information, micro-witness function evidence and verdicts, DSSE-signed reachability witnesses, and ground-truth reachability datasets for validation.

Implementation Details

  • Reachability Witness Payload: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs (with .Path) -- witness payload with call path from entrypoint to vulnerable function.
  • Reachability Witness Statement: Statements/ReachabilityWitnessStatement.cs -- in-toto statement for DSSE signing.
  • Micro-Witness Function Evidence: Predicates/MicroWitnessFunctionEvidence.cs -- function-level evidence with call-stack depth and reachability status.
  • Micro-Witness Verdicts: Predicates/MicroWitnessVerdicts.cs -- per-function verdicts (Reachable, Unreachable, Unknown) with confidence scores.
  • Micro-Witness Binary Ref: Predicates/MicroWitnessBinaryRef.cs -- binary artifact reference.
  • Micro-Witness CVE Ref: Predicates/MicroWitnessCveRef.cs -- CVE reference with affected function.
  • Micro-Witness Tooling: Predicates/MicroWitnessTooling.cs -- analysis tool metadata (language, tool name, version).
  • Binary Micro-Witness Predicate: Predicates/BinaryMicroWitnessPredicate.cs -- complete micro-witness combining all references.
  • Witness Call Path Nodes: Statements/WitnessCallPathNode.cs -- call path node. WitnessPathNode.cs -- generic path node.
  • Witness Gate Info: Statements/WitnessGateInfo.cs -- security gates along the path.
  • VEX Integration: Generators/VexProofIntegrator.cs -- uses reachability evidence to prioritize VEX decisions.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/BinaryMicroWitnessPredicateTests.cs, ReachabilityWitnessTests.cs

E2E Test Plan

  • Create a ReachabilityWitnessPayload with a reachable call path and verify it can prioritize a CVE as high-priority
  • Create a MicroWitnessVerdicts entry with "Unreachable" for a critical CVE and verify it deprioritizes the finding
  • Create function evidence with MicroWitnessFunctionEvidence at call-stack depth 0 through 5 and verify depth tracking
  • Sign a ReachabilityWitnessStatement into a DSSE envelope and verify the signature
  • Build a complete BinaryMicroWitnessPredicate with binary ref, CVE ref, function evidence, and SBOM ref; verify all fields
  • Verify MicroWitnessTooling distinguishes between language-specific tools (Java call graph vs Python AST analyzer)
  • Integrate reachability evidence into a VEX decision via VexProofIntegrator: unreachable function -> "not_affected" status
  • Create witnesses for multiple CVEs on the same component and verify per-CVE prioritization