stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/verdict-delta-taxonomy.md

2.9 KiB
Raw Blame History

Verdict Delta Taxonomy

Module

Attestor

Status

IMPLEMENTED

Description

Decision delta taxonomy tracking policy outcome changes (PASS to FAIL) and explanation drivers between baselines.

Implementation Details

  • Delta Verdict Predicate: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.cs (with .Budget) -- predicate capturing verdict changes between two baselines, including budget-related delta analysis.
  • Delta Verdict Change: Predicates/DeltaVerdictChange.cs -- individual verdict change record (e.g., PASS->FAIL, FAIL->PASS) with the change driver.
  • Delta Finding Key: Predicates/DeltaFindingKey.cs -- key identifying the specific finding whose verdict changed (CVE + component PURL).
  • Verdict Delta Predicate: Predicates/VerdictDeltaPredicate.cs -- top-level predicate for verdict delta attestations.
  • Verdict Delta Summary: Predicates/VerdictDeltaSummary.cs -- summary statistics of verdict changes (added, removed, changed counts).
  • Verdict Finding Change: Predicates/VerdictFindingChange.cs -- detailed change record for a specific finding's verdict transition.
  • Verdict Rule Change: Predicates/VerdictRuleChange.cs -- records policy rule changes that drove the verdict transition.
  • Verdict Summary: Predicates/VerdictSummary.cs -- summary of the overall verdict state at a point in time.
  • Delta Verdict Statement: Statements/DeltaVerdictStatement.cs -- in-toto statement wrapping the delta verdict predicate.
  • Change Trace Attestation Service: ChangeTrace/ChangeTraceAttestationService.cs (with .Helpers, .Mapping) -- service that generates change trace attestations including verdict deltas.
  • Change Trace Delta Entry: Predicates/ChangeTraceDeltaEntry.cs -- entry in the change trace capturing a single delta event.
  • Trust Delta Record: Predicates/TrustDeltaRecord.cs -- records trust score changes between baselines.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/

E2E Test Plan

  • Create a DeltaVerdictPredicate comparing two baselines where one CVE changed from PASS to FAIL; verify the DeltaVerdictChange captures the transition
  • Verify VerdictDeltaSummary correctly counts: 1 added finding, 2 removed findings, 1 changed verdict
  • Create a delta where a policy rule change drove the verdict transition and verify VerdictRuleChange identifies the rule
  • Generate a change trace via ChangeTraceAttestationService with verdict deltas and verify the attestation includes all delta entries
  • Verify DeltaFindingKey uniqueness: two changes for the same CVE+PURL are correctly correlated
  • Create a delta with budget impact (.Budget) and verify the budget-related delta fields are populated
  • Build a DeltaVerdictStatement and verify it is a valid in-toto statement with the correct predicate type URI
  • Compare two identical baselines and verify the delta predicate reports zero changes