Gaps fill up, fixes, ui restructuring
This commit is contained in:
master
@@ -21,7 +21,7 @@ Source: internal advisories "23-Nov-2025 - Stella Ops vs Competitors" and "09-Ja
|
||||
| **CI/CD Tools** | GitHub Actions, Jenkins, GitLab CI | Running pipelines, build automation | No central release authority; no audit-grade evidence; deployment is afterthought |
|
||||
| **CD Orchestrators** | Octopus, Harness, Spinnaker | Deployment automation, Kubernetes | Security is bolt-on; non-K8s is second-class; pricing punishes automation |
|
||||
| **Registries** | Harbor, JFrog Artifactory | Artifact storage, scanning | No release governance; no promotion workflows; no deployment execution |
|
||||
| **Scanners/CNAPP** | Trivy, Snyk, Aqua | Vulnerability detection | No release orchestration; findings don't integrate with promotion gates |
|
||||
| **Scanners/CNAPP** | Trivy, Snyk, Aqua (incl. VEX Hub) | Vulnerability detection; centralized VEX consumption (Aqua VEX Hub) | No release orchestration; findings don't integrate with promotion gates; VEX Hub reduces noise but lacks lattice logic and provenance |
|
||||
|
||||
### Stella Ops Suite Positioning
|
||||
|
||||
@@ -100,9 +100,9 @@ These comparisons focus on where release governance, evidence export, and audit
|
||||
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| **Last Updated** | 2026-01-03 |
|
||||
| **Last Verified** | 2025-12-14 |
|
||||
| **Next Review** | 2026-03-14 |
|
||||
| **Last Updated** | 2026-02-19 |
|
||||
| **Last Verified** | 2026-02-19 |
|
||||
| **Next Review** | 2026-05-19 |
|
||||
| **Claims Index** | [`docs/product/claims-citation-index.md`](claims-citation-index.md) |
|
||||
| **Verification Method** | Source code audit (OSS), documentation review, feature testing |
|
||||
|
||||
@@ -123,6 +123,8 @@ The scanner market evolved from three distinct origins. Each origin created arch
|
||||
| **Developer UX** | Snyk | IDE integration, fix PRs, onboarding | SaaS-only (offline impossible); no attestation infrastructure; reachability limited to specific languages |
|
||||
| **Policy/Compliance** | Prisma Cloud, Aqua | Runtime protection, CNAPP breadth | No deterministic replay; no cryptographic provenance for verdicts; no semantic diff |
|
||||
| **SBOM Operations** | Anchore | SBOM storage, lifecycle | No lattice VEX reasoning; no signed reachability graphs; no regional crypto profiles |
|
||||
| **Supply Chain Evidence** | Docker Scout, JFrog | SBOM/VEX/provenance attestations; signed evidence collection | Evidence is SBOM/VEX/provenance-level; no symbolized call-stack proofs; no deterministic signed scoring envelopes; no replayable micro-witnesses; no size-aware Rekor pointer strategy; no formal VEX lattice reasoning |
|
||||
| **Runtime Exploitability** | Oligo Security | Runtime call-stack evidence showing where vulns actually execute | Runtime-only; not an SBOM/VEX integrator; no deterministic replay; no lattice VEX; no offline/air-gap; no signed reachability graphs; single signal source vs. Stella's three-layer fusion |
|
||||
|
||||
### The Core Problem
|
||||
|
||||
@@ -195,13 +197,17 @@ This isn't a feature gap—it's a category difference. Retrofitting it requires:
|
||||
| **No signed reachability** | Reachability claims are assertions, not proofs. There's no cryptographic binding between "this CVE is reachable" and the call path that proves it. | COMP-GRYPE-001, REACH-002 | 2025-12-14 |
|
||||
| **No semantic diff** | Tools report "+3 CVEs" without context. They can't say "exploitable surface decreased despite new CVEs" because they don't track reachability deltas. | — | 2025-12-14 |
|
||||
| **Offline/sovereign gaps** | Snyk is SaaS-only. Others have partial offline support but no regional crypto (GOST, SM2, eIDAS) and no sealed knowledge snapshots for air-gapped reproducibility. | COMP-SNYK-003, ATT-004 | 2025-12-14 |
|
||||
| **No symbolized call-stack proofs** | Docker Scout, Trivy, and JFrog produce SBOM/VEX/provenance attestations but none deliver symbolized, replayable call-stack evidence tied to the shipping binary. Stella provides DSSE-signed reachability graphs with demangled symbols, build-ID binding, and edge-bundle attestations. | REACH-002, REACH-005, REACH-006 | 2026-02-19 |
|
||||
| **No deterministic signed scoring** | JFrog centralizes signed evidence but doesn't produce deterministic scoring envelopes that can be re-computed. Stella's Policy Engine produces seeded, deterministic verdicts signed via DSSE with full intermediate state for byte-for-byte replay. | DET-001, DET-004, PROOF-003 | 2026-02-19 |
|
||||
| **No Rekor size-aware strategy** | Public Rekor has ~100 KB upload limits. Docker Scout and Trivy submit attestations without addressing this. Stella uses hash-pointer-in-Rekor + full-payload-in-vault (Evidence Locker CAS) with detached payload references, solving the size/UX gap. | ATT-005 | 2026-02-19 |
|
||||
|
||||
## Snapshot table (condensed)
|
||||
|
||||
| Vendor | SBOM Gen | SBOM Ingest | Attest (DSSE) | Rekor | Offline | Primary gaps vs Stella | Related Claims |
|
||||
|--------|----------|-------------|---------------|-------|---------|------------------------|----------------|
|
||||
| Trivy | Yes | Yes | Cosign | Query | Strong | No replay, no lattice | COMP-TRIVY-001, COMP-TRIVY-002, COMP-TRIVY-003 |
|
||||
| Trivy | Yes | Yes | Cosign | Query | Strong | No replay, no lattice, no symbolized call-stacks | COMP-TRIVY-001, COMP-TRIVY-002, COMP-TRIVY-003 |
|
||||
| Syft/Grype | Yes | Yes | Cosign-only | Indir | Medium | No replay, no lattice | COMP-GRYPE-001, COMP-GRYPE-002, COMP-GRYPE-003 |
|
||||
| Docker Scout | Yes | Yes | Cosign (DHI) | Query | Medium | SBOM/VEX/provenance attestations via cosign, but no signed reachability, no deterministic replay, no call-stack symbolization, no lattice VEX | COMP-SCOUT-001, COMP-SCOUT-002 |
|
||||
| Snyk | Yes | Limited | No | No | Weak | No attest/VEX/replay | COMP-SNYK-001, COMP-SNYK-002, COMP-SNYK-003 |
|
||||
| Prisma | Yes | Limited | No | No | Strong | No attest/replay | — |
|
||||
| AWS (Inspector/Signer) | Partial | Partial | Notary v2 | No | Weak | Closed, no replay | — |
|
||||
@@ -210,10 +216,11 @@ This isn't a feature gap—it's a category difference. Retrofitting it requires:
|
||||
| GitLab | Yes | Limited | Partial | No | Medium | No replay/lattice | — |
|
||||
| Microsoft Defender | Partial | Partial | No | No | Weak | No attest/reachability | — |
|
||||
| Anchore Enterprise | Yes | Yes | Some | No | Good | No sovereign crypto | — |
|
||||
| JFrog Xray | Yes | Yes | No | No | Medium | No attest/lattice | — |
|
||||
| JFrog (Xray + Evidence) | Yes | Yes | Signed evidence | No | Medium | Centralized signed evidence collection but no deterministic replay, no lattice VEX, no signed reachability graphs, no call-stack replay | COMP-JFROG-001, COMP-JFROG-002 |
|
||||
| Tenable | Partial | Limited | No | No | Weak | Not SBOM/VEX-focused | — |
|
||||
| Qualys | Limited | Limited | No | No | Medium | No attest/lattice | — |
|
||||
| Rezilion | Yes | Yes | No | No | Medium | Runtime-only; no DSSE | — |
|
||||
| Oligo Security | No | No | No | No | No | Runtime call-stack evidence only; no SBOM/VEX/attestation integration; no replay | COMP-OLIGO-001 |
|
||||
| Chainguard | Yes | Yes | Yes | Yes | Medium | No replay/lattice | — |
|
||||
|
||||
## How to use this doc
|
||||
@@ -281,4 +288,5 @@ This isn't a feature gap—it's a category difference. Retrofitting it requires:
|
||||
|
||||
## Sources
|
||||
- Full advisory: `docs/product/advisories/23-Nov-2025 - Stella Ops vs Competitors.md`
|
||||
- VEX/call-stack/determinism advisory (archived, no gaps): `docs-archived/product/advisories/2026-02-19-vex-callstack-determinism-competitive-landscape.md`
|
||||
- Claims Citation Index: `docs/product/claims-citation-index.md`
|
||||
|
||||
Reference in New Issue
Block a user