Add support for CERT/CC dranzer ActiveX/COM control test reports as a first-class material type (CERTCC_DRANZER). The raw plain-text report is attested verbatim while a structured JSON projection (run summary, per-object metadata and error/access-violation findings) is generated on the fly for the policy engine, following the SYSINTERNALS_ACCESSCHK and SYSINTERNALS_SIGCHECK pattern.
Assisted-by: Claude Code
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
Chainloop-Trace-Sessions: f09b8b6c-a7ce-43df-b75b-6e4e3687bdd6
Summary
Adds CERT/CC dranzer ActiveX/COM control test reports as a first-class material type (
CERTCC_DRANZER).Dranzer fuzz-tests ActiveX/COM controls and emits a free-form plain-text report. The raw report is attested verbatim in the CAS, while a structured JSON projection is generated on the fly for the policy engine — the run summary counters, per-object identity/version metadata, and error/access-violation findings — following the existing
SYSINTERNALS_ACCESSCHKandSYSINTERNALS_SIGCHECKmaterial types.The parser is tolerant of dranzer's undocumented, ANSI-encoded output: invalid byte sequences are sanitized, the full original text is always preserved for policy string-matching fallbacks, and the output-format handling was verified against the dranzer source.
Refs PFM-6359
AI assistance
This change was produced with assistance from Claude Code, disclosed via the
Assisted-bytrailer on the commit.