git.stella-ops.org/docs/features/unchecked/attestor/reachability-drift-detection-and-delta-evidence.md

Reachability Drift Detection and Delta Evidence

Module

Attestor

Status

IMPLEMENTED

Description

Reachability drift predicates tracking new/removed call paths to vulnerable functions with drift analysis metadata, delta summaries between baselines, and reachability status flip tracking between scans.

Implementation Details

• Reachability Drift Predicate: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/ReachabilityDriftPredicate.cs -- predicate capturing reachability status changes between scans (new paths, removed paths, unchanged paths).
• Drift Analysis Metadata: Predicates/DriftAnalysisMetadata.cs -- metadata about the drift analysis (baseline scan ID, current scan ID, timestamp, tool). Also in Statements/DriftAnalysisMetadata.cs.
• Drift Image Reference: Predicates/DriftImageReference.cs -- image reference for the baseline and current scan.
• Drift Predicate Summary: Predicates/DriftPredicateSummary.cs -- summary of drift counts (new paths, removed paths, flipped statuses).
• Drift Scanner Info: Predicates/DriftScannerInfo.cs -- scanner that produced the drift data. Also in Statements/DriftScannerInfo.cs.
• Drifted Sink Predicate Summary: Predicates/DriftedSinkPredicateSummary.cs -- summary of drifted vulnerable sinks.
• Reachability Drift Payload: Statements/ReachabilityDriftPayload.cs -- in-toto payload for drift data.
• Reachability Drift Statement: Statements/ReachabilityDriftStatement.cs -- in-toto statement wrapping the drift payload.
• Drift Summary: Statements/DriftSummary.cs -- statement-level drift summary. DriftedSinkSummary.cs -- per-sink drift summary.
• Change Trace: ChangeTrace/ChangeTraceAttestationService.cs (with .Helpers, .Mapping) -- creates change trace attestations for drift events.
• Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/ReachabilityDriftTests.cs

E2E Test Plan

• Create a ReachabilityDriftPredicate with 2 new paths, 1 removed path, and verify the drift data is correct
• Verify DriftAnalysisMetadata captures baseline and current scan IDs, timestamps, and tool info
• Verify DriftPredicateSummary correctly counts new, removed, and unchanged paths
• Detect a reachability status flip (Unreachable -> Reachable) between scans and verify it is flagged in the drift
• Build a ReachabilityDriftStatement and sign it; verify the DSSE envelope contains the drift payload
• Create drift data for multiple sinks and verify DriftedSinkPredicateSummary tracks per-sink drift
• Create a ChangeTraceAttestationService attestation for the drift event and verify it links to baseline and current evidence
• Verify DriftImageReference correctly identifies the container image versions being compared