stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/vex-integration-with-proof-carrying-verdicts.md

3.0 KiB
Raw Blame History

VEX Integration with Proof-Carrying Verdicts

Module

Attestor

Status

IMPLEMENTED

Description

VEX verdicts carry cryptographic proof references (proof_ref, proof_method, proof_confidence, evidence_summary). ProofAwareVexGenerator in Scanner orchestrates end-to-end flow: scanner detects CVE, BackportProofService generates proof, VexProofIntegrator embeds proof metadata in VEX verdict.

Implementation Details

  • VEX Proof Integrator: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs (with .Helpers, .Metadata) -- embeds proof metadata (proof_ref, proof_method, proof_confidence) into VEX verdicts, linking verdicts to cryptographic evidence.
  • VEX Verdict Proof Payload: Generators/VexVerdictProofPayload.cs -- payload containing the VEX verdict with embedded proof references and evidence summary.
  • Backport Proof Generator: Generators/BackportProofGenerator.cs (with .CombineEvidence, .Confidence, .Status, .Tier1, .Tier2, .Tier3, .Tier3Signature, .Tier4, .VulnerableUnknown) -- generates multi-tier confidence-scored backport proofs that are referenced by VEX verdicts.
  • Evidence Summary: Generators/EvidenceSummary.cs -- summary of evidence items supporting the VEX verdict (proof count, confidence range, evidence types).
  • VEX Attestation Predicate: Predicates/VexAttestationPredicate.cs -- attestation predicate with proof-carrying verdict data.
  • VEX Verdict Summary: Predicates/VexVerdictSummary.cs -- summary of proof-carrying VEX verdicts.
  • VEX Verdict ID: Identifiers/VexVerdictId.cs -- content-addressed ID for the proof-carrying verdict.
  • Binary Fingerprint Evidence Generator: Generators/BinaryFingerprintEvidenceGenerator.cs (with .Helpers) -- generates binary fingerprint evidence used as proof for VEX verdicts.
  • VEX Verdict Statement: Statements/VexVerdictStatement.cs -- in-toto statement wrapping the proof-carrying verdict.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/

E2E Test Plan

  • Generate a backport proof via BackportProofGenerator.Tier1 (exact version match) with confidence 0.98 and verify the proof payload is created
  • Embed the proof into a VEX verdict via VexProofIntegrator and verify the verdict contains proof_ref, proof_method="backport_tier1", and proof_confidence=0.98
  • Generate a Tier3 proof (signature-based) and embed in VEX; verify proof_method="backport_tier3_signature" and confidence range 0.80-0.90
  • Verify EvidenceSummary reports correct counts: create a verdict with 3 evidence items and verify the summary has count=3
  • Create a proof-carrying VEX verdict for a not_affected CVE and verify the proof_ref points to a valid content-addressed proof bundle
  • Generate a VexVerdictId from the proof-carrying verdict and verify it is deterministic
  • Build a VexVerdictStatement with proof references and verify it is a valid in-toto statement
  • Create a VEX verdict without proof and verify proof_ref is null, proof_confidence is 0, indicating no proof backing