stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(api): Implement Console Export Client and Models
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
mock-dev-release / package-mock-release (push) Has been cancelled
Details

Browse Source 
- Added ConsoleExportClient for managing export requests and responses.
- Introduced ConsoleExportRequest and ConsoleExportResponse models.
- Implemented methods for creating and retrieving exports with appropriate headers.

feat(crypto): Add Software SM2/SM3 Cryptography Provider

- Implemented SmSoftCryptoProvider for software-only SM2/SM3 cryptography.
- Added support for signing and verification using SM2 algorithm.
- Included hashing functionality with SM3 algorithm.
- Configured options for loading keys from files and environment gate checks.

test(crypto): Add unit tests for SmSoftCryptoProvider

- Created comprehensive tests for signing, verifying, and hashing functionalities.
- Ensured correct behavior for key management and error handling.

feat(api): Enhance Console Export Models

- Expanded ConsoleExport models to include detailed status and event types.
- Added support for various export formats and notification options.

test(time): Implement TimeAnchorPolicyService tests

- Developed tests for TimeAnchorPolicyService to validate time anchors.
- Covered scenarios for anchor validation, drift calculation, and policy enforcement.
This commit is contained in:
StellaOps Bot
2025-12-07 00:27:33 +02:00
parent 9bd6a73926
commit 0de92144d2
229 changed files with 32351 additions and 1481 deletions
Download Patch File Download Diff File Expand all files Collapse all files

532
docs/schemas/authority-production-signing.schema.json Normal file
View File

@@ -0,0 +1,532 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/authority-production-signing.schema.json",
"title": "StellaOps Authority Production Signing Schema",
"description": "Schema for production DSSE signing keys, key management, and artifact signing workflows. Unblocks AUTH-GAPS-314-004, REKOR-RECEIPT-GAPS-314-005 (2+ tasks).",
"type": "object",
"definitions": {
"SigningKey": {
"type": "object",
"description": "Production signing key configuration",
"required": ["key_id", "algorithm", "purpose"],
"properties": {
"key_id": {
"type": "string",
"description": "Unique key identifier"
},
"algorithm": {
"type": "string",
"enum": ["ecdsa-p256", "ecdsa-p384", "ed25519", "rsa-2048", "rsa-4096"],
"description": "Signing algorithm"
},
"purpose": {
"type": "string",
"enum": ["artifact_signing", "attestation", "timestamp", "code_signing", "sbom_signing"],
"description": "Key purpose"
},
"key_type": {
"type": "string",
"enum": ["software", "hsm", "kms", "yubikey"],
"description": "Key storage type"
},
"public_key": {
"type": "string",
"description": "PEM-encoded public key"
},
"public_key_fingerprint": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "SHA-256 fingerprint of public key"
},
"certificate": {
"$ref": "#/definitions/SigningCertificate"
},
"created_at": {
"type": "string",
"format": "date-time"
},
"expires_at": {
"type": "string",
"format": "date-time"
},
"status": {
"type": "string",
"enum": ["active", "pending_rotation", "revoked", "expired"],
"default": "active"
},
"rotation_policy": {
"$ref": "#/definitions/KeyRotationPolicy"
},
"metadata": {
"type": "object",
"additionalProperties": true
}
}
},
"SigningCertificate": {
"type": "object",
"description": "X.509 certificate for signing key",
"properties": {
"certificate_pem": {
"type": "string",
"description": "PEM-encoded certificate"
},
"issuer": {
"type": "string"
},
"subject": {
"type": "string"
},
"serial_number": {
"type": "string"
},
"not_before": {
"type": "string",
"format": "date-time"
},
"not_after": {
"type": "string",
"format": "date-time"
},
"chain": {
"type": "array",
"items": {
"type": "string"
},
"description": "Certificate chain (PEM)"
}
}
},
"KeyRotationPolicy": {
"type": "object",
"description": "Key rotation policy",
"properties": {
"rotation_interval_days": {
"type": "integer",
"minimum": 1,
"description": "Days between rotations"
},
"overlap_period_days": {
"type": "integer",
"minimum": 1,
"description": "Days both keys are valid"
},
"auto_rotate": {
"type": "boolean",
"default": false
},
"notify_before_days": {
"type": "integer",
"description": "Days before expiry to notify"
}
}
},
"SigningRequest": {
"type": "object",
"description": "Request to sign an artifact",
"required": ["artifact_type", "artifact_digest"],
"properties": {
"request_id": {
"type": "string",
"format": "uuid"
},
"artifact_type": {
"type": "string",
"enum": ["container_image", "sbom", "vex", "attestation", "policy_pack", "evidence_bundle"],
"description": "Type of artifact to sign"
},
"artifact_digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "SHA-256 digest of artifact"
},
"artifact_uri": {
"type": "string",
"format": "uri",
"description": "URI to artifact (optional)"
},
"key_id": {
"type": "string",
"description": "Specific key to use (uses default if not specified)"
},
"signature_format": {
"type": "string",
"enum": ["dsse", "cosign", "gpg", "jws"],
"default": "dsse"
},
"annotations": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Annotations to include in signature"
},
"transparency_log": {
"type": "boolean",
"default": true,
"description": "Upload to transparency log (Rekor)"
},
"timestamp": {
"type": "boolean",
"default": true,
"description": "Include RFC 3161 timestamp"
}
}
},
"SigningResponse": {
"type": "object",
"description": "Signing operation result",
"required": ["signature_id", "artifact_digest", "signature"],
"properties": {
"signature_id": {
"type": "string",
"format": "uuid"
},
"artifact_digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"signature": {
"type": "string",
"description": "Base64-encoded signature"
},
"signature_format": {
"type": "string",
"enum": ["dsse", "cosign", "gpg", "jws"]
},
"key_id": {
"type": "string"
},
"signed_at": {
"type": "string",
"format": "date-time"
},
"certificate": {
"type": "string",
"description": "Signing certificate (PEM)"
},
"chain": {
"type": "array",
"items": {
"type": "string"
}
},
"transparency_log_entry": {
"$ref": "#/definitions/TransparencyLogEntry"
},
"timestamp_response": {
"type": "string",
"description": "RFC 3161 timestamp response (base64)"
}
}
},
"TransparencyLogEntry": {
"type": "object",
"description": "Rekor transparency log entry",
"properties": {
"log_id": {
"type": "string",
"description": "Log instance identifier"
},
"log_index": {
"type": "integer",
"description": "Entry index in log"
},
"entry_uuid": {
"type": "string",
"description": "Entry UUID"
},
"integrated_time": {
"type": "string",
"format": "date-time"
},
"inclusion_proof": {
"$ref": "#/definitions/InclusionProof"
},
"verification_url": {
"type": "string",
"format": "uri"
}
}
},
"InclusionProof": {
"type": "object",
"description": "Merkle tree inclusion proof",
"properties": {
"tree_size": {
"type": "integer"
},
"root_hash": {
"type": "string"
},
"hashes": {
"type": "array",
"items": {
"type": "string"
}
},
"log_index": {
"type": "integer"
}
}
},
"VerificationRequest": {
"type": "object",
"description": "Request to verify a signature",
"required": ["artifact_digest", "signature"],
"properties": {
"artifact_digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"signature": {
"type": "string",
"description": "Base64-encoded signature"
},
"certificate": {
"type": "string",
"description": "Expected signing certificate (optional)"
},
"trusted_roots": {
"type": "array",
"items": {
"type": "string"
},
"description": "Trusted root certificates (PEM)"
},
"verify_transparency_log": {
"type": "boolean",
"default": true
},
"verify_timestamp": {
"type": "boolean",
"default": true
}
}
},
"VerificationResponse": {
"type": "object",
"description": "Signature verification result",
"required": ["verified", "artifact_digest"],
"properties": {
"verified": {
"type": "boolean"
},
"artifact_digest": {
"type": "string"
},
"signer": {
"type": "string",
"description": "Signer identity from certificate"
},
"signed_at": {
"type": "string",
"format": "date-time"
},
"certificate_chain_valid": {
"type": "boolean"
},
"transparency_log_valid": {
"type": "boolean"
},
"timestamp_valid": {
"type": "boolean"
},
"errors": {
"type": "array",
"items": {
"type": "string"
}
},
"warnings": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"KeyRegistry": {
"type": "object",
"description": "Registry of signing keys",
"required": ["registry_id", "keys"],
"properties": {
"registry_id": {
"type": "string"
},
"version": {
"type": "string"
},
"updated_at": {
"type": "string",
"format": "date-time"
},
"keys": {
"type": "array",
"items": {
"$ref": "#/definitions/SigningKey"
}
},
"default_key_id": {
"type": "string",
"description": "Default key for signing operations"
},
"trusted_roots": {
"type": "array",
"items": {
"type": "string"
},
"description": "Trusted root certificates (PEM)"
},
"rekor_url": {
"type": "string",
"format": "uri",
"default": "https://rekor.sigstore.dev"
},
"tsa_url": {
"type": "string",
"format": "uri",
"description": "RFC 3161 timestamp authority URL"
}
}
},
"ProductionSigningConfig": {
"type": "object",
"description": "Production signing configuration",
"required": ["config_id"],
"properties": {
"config_id": {
"type": "string"
},
"environment": {
"type": "string",
"enum": ["development", "staging", "production"]
},
"key_registry": {
"$ref": "#/definitions/KeyRegistry"
},
"signing_policy": {
"$ref": "#/definitions/SigningPolicy"
},
"audit_config": {
"$ref": "#/definitions/AuditConfig"
}
}
},
"SigningPolicy": {
"type": "object",
"description": "Signing policy rules",
"properties": {
"require_approval": {
"type": "boolean",
"default": false,
"description": "Require approval for production signing"
},
"approvers": {
"type": "array",
"items": {
"type": "string"
}
},
"allowed_artifact_types": {
"type": "array",
"items": {
"type": "string"
}
},
"require_transparency_log": {
"type": "boolean",
"default": true
},
"require_timestamp": {
"type": "boolean",
"default": true
},
"max_signatures_per_key_per_day": {
"type": "integer"
}
}
},
"AuditConfig": {
"type": "object",
"description": "Audit logging configuration",
"properties": {
"log_all_requests": {
"type": "boolean",
"default": true
},
"log_verification_failures": {
"type": "boolean",
"default": true
},
"retention_days": {
"type": "integer",
"default": 365
},
"alert_on_anomaly": {
"type": "boolean",
"default": true
}
}
}
},
"properties": {
"config": {
"$ref": "#/definitions/ProductionSigningConfig"
}
},
"examples": [
{
"config": {
"config_id": "stellaops-prod-signing",
"environment": "production",
"key_registry": {
"registry_id": "stellaops-keys",
"version": "2025.10.0",
"updated_at": "2025-12-06T10:00:00Z",
"keys": [
{
"key_id": "stellaops-artifact-signing-2025",
"algorithm": "ecdsa-p256",
"purpose": "artifact_signing",
"key_type": "kms",
"public_key_fingerprint": "sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
"created_at": "2025-01-01T00:00:00Z",
"expires_at": "2026-01-01T00:00:00Z",
"status": "active",
"rotation_policy": {
"rotation_interval_days": 365,
"overlap_period_days": 30,
"auto_rotate": false,
"notify_before_days": 60
}
},
{
"key_id": "stellaops-attestation-signing-2025",
"algorithm": "ecdsa-p256",
"purpose": "attestation",
"key_type": "kms",
"status": "active"
}
],
"default_key_id": "stellaops-artifact-signing-2025",
"rekor_url": "https://rekor.sigstore.dev",
"tsa_url": "https://timestamp.digicert.com"
},
"signing_policy": {
"require_approval": false,
"allowed_artifact_types": ["container_image", "sbom", "vex", "attestation", "policy_pack", "evidence_bundle"],
"require_transparency_log": true,
"require_timestamp": true,
"max_signatures_per_key_per_day": 10000
},
"audit_config": {
"log_all_requests": true,
"log_verification_failures": true,
"retention_days": 365,
"alert_on_anomaly": true
}
}
}
]
}

1573
docs/schemas/dotnet-il-metadata.schema.json Normal file
View File

File diff suppressed because it is too large Load Diff

1690
docs/schemas/graph-platform-api.openapi.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

1273
docs/schemas/java-entrypoint-resolver.schema.json Normal file
View File

File diff suppressed because it is too large Load Diff

1471
docs/schemas/ledger-time-travel-api.openapi.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

684
docs/schemas/production-release-manifest.schema.json Normal file
View File

@@ -0,0 +1,684 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/production-release-manifest.schema.json",
"title": "StellaOps Production Release Manifest Schema",
"description": "Schema for production release manifests, image digests, and deployment artifacts. Unblocks DEPLOY-ORCH-34-001, DEPLOY-POLICY-27-001, and downstream deployment tasks (10+ tasks).",
"type": "object",
"definitions": {
"ReleaseManifest": {
"type": "object",
"description": "Production release manifest",
"required": ["release_id", "version", "services"],
"properties": {
"release_id": {
"type": "string",
"description": "Unique release identifier"
},
"version": {
"type": "string",
"pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+(-[a-z0-9.]+)?$",
"description": "Release version (semver)"
},
"codename": {
"type": "string",
"description": "Release codename"
},
"released_at": {
"type": "string",
"format": "date-time"
},
"release_notes_url": {
"type": "string",
"format": "uri"
},
"services": {
"type": "array",
"items": {
"$ref": "#/definitions/ServiceRelease"
}
},
"infrastructure": {
"$ref": "#/definitions/InfrastructureRequirements"
},
"migrations": {
"type": "array",
"items": {
"$ref": "#/definitions/MigrationStep"
}
},
"breaking_changes": {
"type": "array",
"items": {
"$ref": "#/definitions/BreakingChange"
}
},
"signatures": {
"type": "array",
"items": {
"$ref": "#/definitions/ReleaseSignature"
}
},
"manifest_digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
}
}
},
"ServiceRelease": {
"type": "object",
"description": "Individual service release information",
"required": ["service_id", "image", "digest"],
"properties": {
"service_id": {
"type": "string",
"description": "Service identifier"
},
"name": {
"type": "string"
},
"image": {
"type": "string",
"description": "Container image (without tag)"
},
"tag": {
"type": "string",
"description": "Image tag"
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Image digest for pinning"
},
"version": {
"type": "string",
"description": "Service version"
},
"config_version": {
"type": "string",
"description": "Configuration schema version"
},
"ports": {
"type": "array",
"items": {
"$ref": "#/definitions/PortMapping"
}
},
"health_check": {
"$ref": "#/definitions/HealthCheckConfig"
},
"resources": {
"$ref": "#/definitions/ResourceRequirements"
},
"dependencies": {
"type": "array",
"items": {
"type": "string"
},
"description": "Service IDs this depends on"
},
"environment_defaults": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"sbom_ref": {
"type": "string",
"format": "uri",
"description": "Reference to SBOM"
},
"attestation_ref": {
"type": "string",
"format": "uri",
"description": "Reference to build attestation"
}
}
},
"PortMapping": {
"type": "object",
"description": "Port mapping configuration",
"required": ["container_port"],
"properties": {
"name": {
"type": "string"
},
"container_port": {
"type": "integer"
},
"protocol": {
"type": "string",
"enum": ["tcp", "udp"],
"default": "tcp"
},
"service_port": {
"type": "integer"
}
}
},
"HealthCheckConfig": {
"type": "object",
"description": "Health check configuration",
"properties": {
"path": {
"type": "string",
"default": "/health"
},
"port": {
"type": "integer"
},
"interval_seconds": {
"type": "integer",
"default": 30
},
"timeout_seconds": {
"type": "integer",
"default": 10
},
"failure_threshold": {
"type": "integer",
"default": 3
},
"success_threshold": {
"type": "integer",
"default": 1
}
}
},
"ResourceRequirements": {
"type": "object",
"description": "Resource requirements",
"properties": {
"cpu_request": {
"type": "string",
"pattern": "^[0-9]+(m)?$"
},
"cpu_limit": {
"type": "string",
"pattern": "^[0-9]+(m)?$"
},
"memory_request": {
"type": "string",
"pattern": "^[0-9]+(Mi|Gi)$"
},
"memory_limit": {
"type": "string",
"pattern": "^[0-9]+(Mi|Gi)$"
},
"storage": {
"type": "string",
"pattern": "^[0-9]+(Mi|Gi|Ti)$"
}
}
},
"InfrastructureRequirements": {
"type": "object",
"description": "Infrastructure requirements for release",
"properties": {
"kubernetes_version": {
"type": "string",
"description": "Minimum Kubernetes version"
},
"docker_version": {
"type": "string",
"description": "Minimum Docker version"
},
"databases": {
"type": "array",
"items": {
"$ref": "#/definitions/DatabaseRequirement"
}
},
"external_services": {
"type": "array",
"items": {
"$ref": "#/definitions/ExternalServiceRequirement"
}
}
}
},
"DatabaseRequirement": {
"type": "object",
"description": "Database requirement",
"required": ["type", "min_version"],
"properties": {
"type": {
"type": "string",
"enum": ["mongodb", "postgres", "redis", "rabbitmq"]
},
"min_version": {
"type": "string"
},
"recommended_version": {
"type": "string"
},
"storage_estimate": {
"type": "string"
}
}
},
"ExternalServiceRequirement": {
"type": "object",
"description": "External service requirement",
"required": ["service", "required"],
"properties": {
"service": {
"type": "string"
},
"required": {
"type": "boolean"
},
"description": {
"type": "string"
},
"default_url": {
"type": "string",
"format": "uri"
}
}
},
"MigrationStep": {
"type": "object",
"description": "Migration step",
"required": ["migration_id", "type", "description"],
"properties": {
"migration_id": {
"type": "string"
},
"type": {
"type": "string",
"enum": ["database", "config", "data", "manual"]
},
"description": {
"type": "string"
},
"from_version": {
"type": "string"
},
"to_version": {
"type": "string"
},
"reversible": {
"type": "boolean",
"default": false
},
"script_path": {
"type": "string"
},
"estimated_duration": {
"type": "string"
},
"requires_downtime": {
"type": "boolean",
"default": false
}
}
},
"BreakingChange": {
"type": "object",
"description": "Breaking change documentation",
"required": ["change_id", "description", "migration_guide"],
"properties": {
"change_id": {
"type": "string"
},
"service": {
"type": "string"
},
"description": {
"type": "string"
},
"impact": {
"type": "string",
"enum": ["api", "config", "data", "behavior"]
},
"migration_guide": {
"type": "string"
},
"affected_versions": {
"type": "string"
}
}
},
"ReleaseSignature": {
"type": "object",
"description": "Release signature",
"required": ["signature_type", "signature"],
"properties": {
"signature_type": {
"type": "string",
"enum": ["cosign", "gpg", "dsse"]
},
"signature": {
"type": "string"
},
"key_id": {
"type": "string"
},
"signed_at": {
"type": "string",
"format": "date-time"
},
"rekor_log_index": {
"type": "integer"
}
}
},
"DeploymentProfile": {
"type": "object",
"description": "Deployment profile with service overrides",
"required": ["profile_id", "name"],
"properties": {
"profile_id": {
"type": "string",
"enum": ["development", "staging", "production", "airgap"]
},
"name": {
"type": "string"
},
"description": {
"type": "string"
},
"service_overrides": {
"type": "object",
"additionalProperties": {
"type": "object",
"properties": {
"replicas": {
"type": "integer"
},
"resources": {
"$ref": "#/definitions/ResourceRequirements"
},
"environment": {
"type": "object",
"additionalProperties": {
"type": "string"
}
}
}
}
},
"feature_flags": {
"type": "object",
"additionalProperties": {
"type": "boolean"
}
}
}
},
"ReleaseChannel": {
"type": "object",
"description": "Release channel configuration",
"required": ["channel_id", "name"],
"properties": {
"channel_id": {
"type": "string",
"enum": ["stable", "beta", "alpha", "nightly"]
},
"name": {
"type": "string"
},
"description": {
"type": "string"
},
"current_version": {
"type": "string"
},
"manifest_url": {
"type": "string",
"format": "uri"
},
"update_frequency": {
"type": "string",
"description": "How often this channel updates"
}
}
}
},
"properties": {
"manifest": {
"$ref": "#/definitions/ReleaseManifest"
},
"profiles": {
"type": "array",
"items": {
"$ref": "#/definitions/DeploymentProfile"
}
},
"channels": {
"type": "array",
"items": {
"$ref": "#/definitions/ReleaseChannel"
}
}
},
"examples": [
{
"manifest": {
"release_id": "stellaops-2025.10.0",
"version": "2025.10.0",
"codename": "Aurora",
"released_at": "2025-12-06T10:00:00Z",
"release_notes_url": "https://github.com/stellaops/stellaops/releases/tag/v2025.10.0",
"services": [
{
"service_id": "orchestrator",
"name": "Orchestrator",
"image": "ghcr.io/stellaops/orchestrator",
"tag": "2025.10.0",
"digest": "sha256:orch123def456789012345678901234567890123456789012345678901234orch",
"version": "2025.10.0",
"ports": [
{
"name": "http",
"container_port": 8080,
"protocol": "tcp"
},
{
"name": "grpc",
"container_port": 9090,
"protocol": "tcp"
}
],
"health_check": {
"path": "/health",
"port": 8080,
"interval_seconds": 30
},
"resources": {
"cpu_request": "100m",
"cpu_limit": "1000m",
"memory_request": "256Mi",
"memory_limit": "1Gi"
},
"dependencies": ["postgres", "redis", "rabbitmq"],
"sbom_ref": "https://sbom.stella-ops.org/orchestrator/2025.10.0.json",
"attestation_ref": "https://attestation.stella-ops.org/orchestrator/2025.10.0.jsonl"
},
{
"service_id": "policy-engine",
"name": "Policy Engine",
"image": "ghcr.io/stellaops/policy-engine",
"tag": "2025.10.0",
"digest": "sha256:policy123def456789012345678901234567890123456789012345678901234pol",
"version": "2025.10.0",
"ports": [
{
"name": "http",
"container_port": 8081
}
],
"health_check": {
"path": "/health",
"port": 8081
},
"resources": {
"cpu_request": "200m",
"cpu_limit": "2000m",
"memory_request": "512Mi",
"memory_limit": "2Gi"
},
"dependencies": ["mongodb", "orchestrator"]
},
{
"service_id": "scanner",
"name": "Scanner",
"image": "ghcr.io/stellaops/scanner",
"tag": "2025.10.0",
"digest": "sha256:scan123def456789012345678901234567890123456789012345678901234scan",
"version": "2025.10.0"
},
{
"service_id": "findings-ledger",
"name": "Findings Ledger",
"image": "ghcr.io/stellaops/findings-ledger",
"tag": "2025.10.0",
"digest": "sha256:ledger123def456789012345678901234567890123456789012345678901234led",
"version": "2025.10.0",
"dependencies": ["postgres", "redis"]
},
{
"service_id": "vex-lens",
"name": "VEX Lens",
"image": "ghcr.io/stellaops/vex-lens",
"tag": "2025.10.0",
"digest": "sha256:vex123def456789012345678901234567890123456789012345678901234vexl",
"version": "2025.10.0"
},
{
"service_id": "concelier",
"name": "Concelier",
"image": "ghcr.io/stellaops/concelier",
"tag": "2025.10.0",
"digest": "sha256:conc123def456789012345678901234567890123456789012345678901234conc",
"version": "2025.10.0",
"dependencies": ["mongodb", "redis"]
}
],
"infrastructure": {
"kubernetes_version": ">=1.27",
"docker_version": ">=24.0",
"databases": [
{
"type": "mongodb",
"min_version": "7.0",
"recommended_version": "7.0.4",
"storage_estimate": "50Gi"
},
{
"type": "postgres",
"min_version": "16",
"recommended_version": "16.1",
"storage_estimate": "100Gi"
},
{
"type": "redis",
"min_version": "7",
"recommended_version": "7.2"
}
],
"external_services": [
{
"service": "S3-compatible storage",
"required": true,
"description": "For evidence and artifact storage"
},
{
"service": "OIDC provider",
"required": false,
"description": "For SSO authentication"
}
]
},
"migrations": [
{
"migration_id": "mig-2025.10-001",
"type": "database",
"description": "Add risk_score column to findings table",
"from_version": "2025.09.0",
"to_version": "2025.10.0",
"reversible": true,
"script_path": "migrations/2025.10/001_add_risk_score.sql",
"estimated_duration": "5m",
"requires_downtime": false
}
],
"breaking_changes": [
{
"change_id": "bc-2025.10-001",
"service": "policy-engine",
"description": "Policy API v1 deprecated, use v2",
"impact": "api",
"migration_guide": "See docs/migration/policy-api-v2.md",
"affected_versions": "<2025.10.0"
}
],
"manifest_digest": "sha256:manifest123def456789012345678901234567890123456789012345678901234"
},
"profiles": [
{
"profile_id": "development",
"name": "Development",
"description": "Single-replica development deployment",
"service_overrides": {
"orchestrator": {
"replicas": 1,
"resources": {
"cpu_limit": "500m",
"memory_limit": "512Mi"
}
}
},
"feature_flags": {
"debug_mode": true,
"airgap_mode": false
}
},
{
"profile_id": "production",
"name": "Production",
"description": "High-availability production deployment",
"service_overrides": {
"orchestrator": {
"replicas": 3
},
"policy-engine": {
"replicas": 3
}
},
"feature_flags": {
"debug_mode": false,
"airgap_mode": false
}
},
{
"profile_id": "airgap",
"name": "Air-Gap",
"description": "Offline deployment without external connectivity",
"feature_flags": {
"debug_mode": false,
"airgap_mode": true
}
}
],
"channels": [
{
"channel_id": "stable",
"name": "Stable",
"description": "Production-ready releases",
"current_version": "2025.10.0",
"manifest_url": "https://releases.stella-ops.org/stable/manifest.json",
"update_frequency": "Monthly"
},
{
"channel_id": "beta",
"name": "Beta",
"description": "Pre-release testing",
"current_version": "2025.11.0-beta.1",
"manifest_url": "https://releases.stella-ops.org/beta/manifest.json",
"update_frequency": "Weekly"
}
]
}
]
}

677
docs/schemas/scanner-entrytrace-baseline.schema.json Normal file
View File

@@ -0,0 +1,677 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/scanner-entrytrace-baseline.schema.json",
"title": "StellaOps Scanner EntryTrace Baseline Schema",
"description": "Schema for EntryTrace heuristics, baseline configurations, and entry point detection. Unblocks SCANNER-ENTRYTRACE-18-503 through 18-508 (5+ tasks).",
"type": "object",
"definitions": {
"EntryTraceConfig": {
"type": "object",
"description": "EntryTrace configuration",
"required": ["config_id", "language"],
"properties": {
"config_id": {
"type": "string"
},
"language": {
"type": "string",
"enum": ["java", "python", "javascript", "typescript", "go", "ruby", "php", "csharp", "rust"],
"description": "Target language"
},
"version": {
"type": "string"
},
"entry_point_patterns": {
"type": "array",
"items": {
"$ref": "#/definitions/EntryPointPattern"
}
},
"framework_configs": {
"type": "array",
"items": {
"$ref": "#/definitions/FrameworkConfig"
}
},
"heuristics": {
"$ref": "#/definitions/HeuristicsConfig"
},
"exclusions": {
"$ref": "#/definitions/ExclusionConfig"
}
}
},
"EntryPointPattern": {
"type": "object",
"description": "Pattern for detecting entry points",
"required": ["pattern_id", "type", "pattern"],
"properties": {
"pattern_id": {
"type": "string"
},
"type": {
"type": "string",
"enum": ["annotation", "decorator", "function_name", "class_name", "file_pattern", "import_pattern", "ast_pattern"],
"description": "Pattern type"
},
"pattern": {
"type": "string",
"description": "Regex or AST pattern"
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1,
"description": "Confidence level for this pattern"
},
"entry_type": {
"type": "string",
"enum": ["http_endpoint", "grpc_method", "cli_command", "event_handler", "scheduled_job", "message_consumer", "test_method"],
"description": "Type of entry point detected"
},
"framework": {
"type": "string",
"description": "Associated framework (e.g., spring, express, django)"
},
"metadata_extraction": {
"$ref": "#/definitions/MetadataExtraction"
}
}
},
"MetadataExtraction": {
"type": "object",
"description": "Rules for extracting metadata from entry points",
"properties": {
"http_method": {
"type": "string",
"description": "Pattern to extract HTTP method"
},
"route_path": {
"type": "string",
"description": "Pattern to extract route path"
},
"parameters": {
"type": "string",
"description": "Pattern to extract parameters"
},
"auth_required": {
"type": "string",
"description": "Pattern to detect auth requirements"
}
}
},
"FrameworkConfig": {
"type": "object",
"description": "Framework-specific configuration",
"required": ["framework_id", "name"],
"properties": {
"framework_id": {
"type": "string"
},
"name": {
"type": "string"
},
"version_range": {
"type": "string",
"description": "Supported version range (semver)"
},
"detection_patterns": {
"type": "array",
"items": {
"type": "string"
},
"description": "Patterns to detect framework usage"
},
"entry_patterns": {
"type": "array",
"items": {
"type": "string"
},
"description": "Entry point pattern IDs for this framework"
},
"router_file_patterns": {
"type": "array",
"items": {
"type": "string"
},
"description": "Glob patterns for router/route files"
},
"controller_patterns": {
"type": "array",
"items": {
"type": "string"
},
"description": "Patterns to identify controller classes"
}
}
},
"HeuristicsConfig": {
"type": "object",
"description": "Heuristics configuration for entry point detection",
"properties": {
"enable_static_analysis": {
"type": "boolean",
"default": true
},
"enable_dynamic_hints": {
"type": "boolean",
"default": false,
"description": "Use runtime hints if available"
},
"confidence_threshold": {
"type": "number",
"minimum": 0,
"maximum": 1,
"default": 0.7,
"description": "Minimum confidence to report entry point"
},
"max_depth": {
"type": "integer",
"minimum": 1,
"default": 10,
"description": "Maximum call graph depth to analyze"
},
"timeout_seconds": {
"type": "integer",
"default": 300,
"description": "Analysis timeout per file"
},
"scoring_weights": {
"$ref": "#/definitions/ScoringWeights"
}
}
},
"ScoringWeights": {
"type": "object",
"description": "Weights for confidence scoring",
"properties": {
"annotation_match": {
"type": "number",
"default": 0.9
},
"naming_convention": {
"type": "number",
"default": 0.6
},
"file_location": {
"type": "number",
"default": 0.5
},
"import_analysis": {
"type": "number",
"default": 0.7
},
"call_graph_centrality": {
"type": "number",
"default": 0.4
}
}
},
"ExclusionConfig": {
"type": "object",
"description": "Exclusion rules",
"properties": {
"exclude_paths": {
"type": "array",
"items": {
"type": "string"
},
"description": "Glob patterns to exclude"
},
"exclude_packages": {
"type": "array",
"items": {
"type": "string"
},
"description": "Package names to exclude"
},
"exclude_test_files": {
"type": "boolean",
"default": true
},
"exclude_generated": {
"type": "boolean",
"default": true
}
}
},
"EntryPoint": {
"type": "object",
"description": "Detected entry point",
"required": ["entry_id", "type", "location"],
"properties": {
"entry_id": {
"type": "string"
},
"type": {
"type": "string",
"enum": ["http_endpoint", "grpc_method", "cli_command", "event_handler", "scheduled_job", "message_consumer", "test_method"]
},
"name": {
"type": "string"
},
"location": {
"$ref": "#/definitions/CodeLocation"
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1
},
"framework": {
"type": "string"
},
"http_metadata": {
"$ref": "#/definitions/HttpMetadata"
},
"parameters": {
"type": "array",
"items": {
"$ref": "#/definitions/ParameterInfo"
}
},
"reachable_vulnerabilities": {
"type": "array",
"items": {
"type": "string"
},
"description": "CVE IDs reachable from this entry point"
},
"call_paths": {
"type": "array",
"items": {
"$ref": "#/definitions/CallPath"
}
},
"detection_method": {
"type": "string",
"description": "Pattern ID that detected this entry"
}
}
},
"CodeLocation": {
"type": "object",
"description": "Source code location",
"required": ["file_path"],
"properties": {
"file_path": {
"type": "string"
},
"line_start": {
"type": "integer"
},
"line_end": {
"type": "integer"
},
"column_start": {
"type": "integer"
},
"column_end": {
"type": "integer"
},
"function_name": {
"type": "string"
},
"class_name": {
"type": "string"
},
"package_name": {
"type": "string"
}
}
},
"HttpMetadata": {
"type": "object",
"description": "HTTP endpoint metadata",
"properties": {
"method": {
"type": "string",
"enum": ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"]
},
"path": {
"type": "string"
},
"path_parameters": {
"type": "array",
"items": {
"type": "string"
}
},
"query_parameters": {
"type": "array",
"items": {
"type": "string"
}
},
"consumes": {
"type": "array",
"items": {
"type": "string"
}
},
"produces": {
"type": "array",
"items": {
"type": "string"
}
},
"auth_required": {
"type": "boolean"
},
"auth_scopes": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"ParameterInfo": {
"type": "object",
"description": "Entry point parameter",
"properties": {
"name": {
"type": "string"
},
"type": {
"type": "string"
},
"source": {
"type": "string",
"enum": ["path", "query", "header", "body", "form", "cookie"]
},
"required": {
"type": "boolean"
},
"tainted": {
"type": "boolean",
"description": "Whether this is a potential taint source"
}
}
},
"CallPath": {
"type": "object",
"description": "Call path from entry point to vulnerability",
"properties": {
"target_vulnerability": {
"type": "string",
"description": "CVE ID or vulnerability identifier"
},
"path_length": {
"type": "integer"
},
"calls": {
"type": "array",
"items": {
"$ref": "#/definitions/CallSite"
}
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1
}
}
},
"CallSite": {
"type": "object",
"description": "Individual call in call path",
"properties": {
"caller": {
"type": "string"
},
"callee": {
"type": "string"
},
"location": {
"$ref": "#/definitions/CodeLocation"
},
"call_type": {
"type": "string",
"enum": ["direct", "virtual", "interface", "reflection", "lambda"]
}
}
},
"BaselineReport": {
"type": "object",
"description": "EntryTrace baseline analysis report",
"required": ["report_id", "scan_id", "entry_points"],
"properties": {
"report_id": {
"type": "string",
"format": "uuid"
},
"scan_id": {
"type": "string"
},
"generated_at": {
"type": "string",
"format": "date-time"
},
"config_used": {
"type": "string",
"description": "Config ID used for analysis"
},
"entry_points": {
"type": "array",
"items": {
"$ref": "#/definitions/EntryPoint"
}
},
"statistics": {
"$ref": "#/definitions/BaselineStatistics"
},
"frameworks_detected": {
"type": "array",
"items": {
"type": "string"
}
},
"analysis_duration_ms": {
"type": "integer"
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
}
}
},
"BaselineStatistics": {
"type": "object",
"description": "Baseline analysis statistics",
"properties": {
"total_entry_points": {
"type": "integer"
},
"by_type": {
"type": "object",
"additionalProperties": {
"type": "integer"
}
},
"by_framework": {
"type": "object",
"additionalProperties": {
"type": "integer"
}
},
"by_confidence": {
"type": "object",
"properties": {
"high": {
"type": "integer"
},
"medium": {
"type": "integer"
},
"low": {
"type": "integer"
}
}
},
"files_analyzed": {
"type": "integer"
},
"files_skipped": {
"type": "integer"
},
"reachable_vulnerabilities": {
"type": "integer"
}
}
}
},
"properties": {
"configs": {
"type": "array",
"items": {
"$ref": "#/definitions/EntryTraceConfig"
}
},
"baseline_reports": {
"type": "array",
"items": {
"$ref": "#/definitions/BaselineReport"
}
}
},
"examples": [
{
"configs": [
{
"config_id": "java-spring-baseline",
"language": "java",
"version": "1.0.0",
"entry_point_patterns": [
{
"pattern_id": "spring-request-mapping",
"type": "annotation",
"pattern": "@(Get|Post|Put|Delete|Patch|Request)Mapping",
"confidence": 0.95,
"entry_type": "http_endpoint",
"framework": "spring",
"metadata_extraction": {
"http_method": "annotation.name.replace('Mapping', '').toUpperCase()",
"route_path": "annotation.value || annotation.path"
}
},
{
"pattern_id": "spring-rest-controller",
"type": "annotation",
"pattern": "@RestController",
"confidence": 0.9,
"entry_type": "http_endpoint",
"framework": "spring"
},
{
"pattern_id": "spring-scheduled",
"type": "annotation",
"pattern": "@Scheduled",
"confidence": 0.95,
"entry_type": "scheduled_job",
"framework": "spring"
}
],
"framework_configs": [
{
"framework_id": "spring-boot",
"name": "Spring Boot",
"version_range": ">=2.0.0",
"detection_patterns": [
"org.springframework.boot",
"@SpringBootApplication"
],
"entry_patterns": ["spring-request-mapping", "spring-rest-controller", "spring-scheduled"],
"router_file_patterns": ["**/controller/**/*.java", "**/rest/**/*.java"],
"controller_patterns": [".*Controller$", ".*Resource$"]
}
],
"heuristics": {
"enable_static_analysis": true,
"enable_dynamic_hints": false,
"confidence_threshold": 0.7,
"max_depth": 15,
"timeout_seconds": 600,
"scoring_weights": {
"annotation_match": 0.95,
"naming_convention": 0.6,
"file_location": 0.5,
"import_analysis": 0.7,
"call_graph_centrality": 0.4
}
},
"exclusions": {
"exclude_paths": ["**/test/**", "**/generated/**"],
"exclude_packages": ["org.springframework.test"],
"exclude_test_files": true,
"exclude_generated": true
}
}
],
"baseline_reports": [
{
"report_id": "550e8400-e29b-41d4-a716-446655440000",
"scan_id": "scan-2025-12-06-001",
"generated_at": "2025-12-06T10:00:00Z",
"config_used": "java-spring-baseline",
"entry_points": [
{
"entry_id": "ep-001",
"type": "http_endpoint",
"name": "getUserById",
"location": {
"file_path": "src/main/java/com/example/UserController.java",
"line_start": 25,
"line_end": 35,
"function_name": "getUserById",
"class_name": "UserController",
"package_name": "com.example"
},
"confidence": 0.95,
"framework": "spring",
"http_metadata": {
"method": "GET",
"path": "/api/users/{id}",
"path_parameters": ["id"],
"auth_required": true
},
"parameters": [
{
"name": "id",
"type": "Long",
"source": "path",
"required": true,
"tainted": true
}
],
"reachable_vulnerabilities": ["CVE-2023-1234"],
"detection_method": "spring-request-mapping"
}
],
"statistics": {
"total_entry_points": 45,
"by_type": {
"http_endpoint": 40,
"scheduled_job": 3,
"message_consumer": 2
},
"by_framework": {
"spring": 45
},
"by_confidence": {
"high": 38,
"medium": 5,
"low": 2
},
"files_analyzed": 120,
"files_skipped": 15,
"reachable_vulnerabilities": 12
},
"frameworks_detected": ["spring-boot"],
"analysis_duration_ms": 45000,
"digest": "sha256:entry123def456789012345678901234567890123456789012345678901234entry"
}
]
}
]
}