stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

wip - advisories and ui extensions

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-29 08:39:52 +02:00
parent c2b9cd8d1f
commit 1b61c72c90
56 changed files with 15187 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

227
docs/product-advisories/ADVISORY_20251229_SBOM_LINEAGE_AND_TESTING.md Normal file
View File

@@ -0,0 +1,227 @@
# ADVISORY_20251229: SBOM Lineage Graph & Testing Infrastructure
## Advisory Classification
| Field | Value |
|-------|-------|
| **Advisory ID** | ADVISORY_20251229_SBOM_LINEAGE_AND_TESTING |
| **Date** | 2025-12-29 |
| **Priority** | HIGH |
| **Verdict** | **PROCEED** - High value, aligns with Stella Ops vision |
| **Existing Coverage** | ~70% architecturally designed, ~20% implemented |
## Executive Summary
The advisory proposes:
1. **SBOM Lineage Graph** - Git-like visualization with hover-to-proof UX
2. **Testing Infrastructure** - Fixture harvesting, golden tests, determinism verification
3. **Backport Detection Algorithm** - Fix rules model with distro-specific extractors
4. **VEX Lattice Tests** - Truth table verification for merge correctness
5. **Scheduler Resilience** - Chaos and load tests
6. **E2E Replayable Verdict** - Full pipeline replay verification
**Verdict:** These proposals are **highly aligned** with Stella Ops' core differentiators:
- **Determinism** (reproducible vulnerability assessments)
- **Offline-first** (air-gapped operation)
- **VEX-first decisioning** (lattice-based consensus)
- **Explainability** (proof chains and evidence)
Most of the **architecture already exists** in documentation. The gap is **implementation and test coverage**.
---
## Gap Analysis Summary
| Feature | Architecture | Implementation | Tests | Recommendation |
|---------|--------------|----------------|-------|----------------|
| SBOM Lineage Graph | 100% | 20% | 0% | **Proceed with existing sprints** |
| Testing Infrastructure | 70% | 40% | N/A | **Create FixtureHarvester** |
| Backport Status Service | 50% | 30% | 10% | **Formalize algorithm** |
| VEX Lattice Truth Tables | 100% | 60% | 10% | **Add systematic tests** |
| Scheduler Resilience | 80% | 70% | 20% | **Add chaos tests** |
| E2E Replayable Verdict | 90% | 40% | 5% | **Wire components** |
---
## Existing Infrastructure (Already in Stella Ops)
### 1. SBOM Lineage Architecture (docs/modules/sbomservice/lineage/)
**Status:** FULLY DESIGNED, NOT IMPLEMENTED
- `IOciAncestryExtractor` - Extract base image refs from OCI config
- `ISbomLineageEdgeRepository` - Persist DAG edges (parent, build, base)
- `IVexDeltaRepository` - Track status transitions
- `ISbomVerdictLinkRepository` - Link SBOM versions to VEX consensus
- `ILineageGraphService` - Query and diff lineage
- Database schema for `sbom_lineage_edges`, `vex_deltas`, `sbom_verdict_links`
- API endpoints: `GET /lineage/{digest}`, `GET /lineage/diff`, `POST /lineage/export`
### 2. Testing Infrastructure (src/__Tests/)
**Status:** PARTIAL INFRASTRUCTURE EXISTS
- `StellaOps.Testing.Determinism/` with `DeterminismVerifier`
- `StellaOps.Testing.AirGap/` with `NetworkIsolatedTestBase`
- `__Benchmarks/golden-corpus/` for canonical test cases
- `__Datasets/` for ground truth samples
- Standardized test categories (Unit, Integration, Determinism, AirGap, Chaos)
**Gap:** No `FixtureHarvester` tool, no per-fixture `meta.json` manifests
### 3. Feedser Evidence Collection (src/Feedser/)
**Status:** LIBRARY EXISTS
- `HunkSigExtractor` for patch signature extraction
- `BinaryFingerprintFactory` with TLSH and instruction hash fingerprinters
- Four-tier evidence model (Tier 1-4 confidence levels)
- Consumed by Concelier `ProofService`
### 4. VexLens Consensus (src/VexLens/)
**Status:** CORE ENGINE EXISTS
- Lattice states: `unknown < under_investigation < not_affected | affected < fixed`
- `VexConsensusEngine` for merge computation
- `OpenVexNormalizer` and `CsafVexNormalizer`
- Conflict tracking with detailed arrays
- Trust tier provenance from Excititor connectors
**Gap:** No systematic truth table tests
### 5. Replay Infrastructure (src/Replay/)
**Status:** MODELS AND SERVICE DESIGNED
- `ReplayManifest` v1/v2 schema
- `ReplayToken` generation and verification
- `PolicySimulationInputLock` for pinning
- Scanner `RecordModeService` for bundle capture
**Gap:** No `VerdictBuilder` orchestration service (Sprint CGS-001)
### 6. Concelier Advisory Ingestion (src/Concelier/)
**Status:** PRODUCTION READY
- Link-Not-Merge architecture
- Multiple connectors: CSAF (Red Hat, SUSE, Ubuntu, Oracle, Microsoft), OSV, GHSA
- Version range normalization (EVR, dpkg, apk, semver)
- Conflict detection in linksets
---
## Recommended Sprint Batch
Based on the gap analysis, the following sprints have been created:
### Batch 001 (Already Exists)
| Sprint | Topic | Status |
|--------|-------|--------|
| `SPRINT_20251229_001_001_BE_cgs_infrastructure` | Verdict Builder (CGS) | TODO |
| `SPRINT_20251229_001_002_BE_vex_delta` | VEX Delta Persistence | TODO |
| `SPRINT_20251229_001_003_FE_lineage_graph` | Lineage Visualization | TODO |
### Batch 004 (New - From This Advisory)
| Sprint | Topic | Tasks |
|--------|-------|-------|
| `SPRINT_20251229_004_001_LIB_fixture_harvester` | FixtureHarvester Tool | 10 tasks |
| `SPRINT_20251229_004_002_BE_backport_status_service` | Backport Status Retrieval | 11 tasks |
| `SPRINT_20251229_004_003_BE_vexlens_truth_tables` | VexLens Truth Table Tests | 9 tasks |
| `SPRINT_20251229_004_004_BE_scheduler_resilience` | Scheduler Chaos Tests | 8 tasks |
| `SPRINT_20251229_004_005_E2E_replayable_verdict` | E2E Replay Tests | 8 tasks |
---
## Priority Ranking
### P0 - Critical Path (Blocks Other Work)
1. **Batch 001** - CGS infrastructure and VEX delta persistence
- Required for lineage graph and replay features
- Existing sprints, well-defined tasks
2. **SPRINT_20251229_004_003_BE_vexlens_truth_tables**
- VexLens is core to the platform; truth tables validate correctness
- Low effort, high confidence gain
### P1 - High Value
3. **SPRINT_20251229_004_005_E2E_replayable_verdict**
- E2E tests catch integration issues early
- Validates the core "deterministic reproducibility" claim
4. **SPRINT_20251229_004_001_LIB_fixture_harvester**
- Enables systematic fixture management
- Supports all test categories
### P2 - Important
5. **SPRINT_20251229_004_002_BE_backport_status_service**
- Reduces false positives for distro packages
- Requires distro-specific extractors (effort)
6. **SPRINT_20251229_004_004_BE_scheduler_resilience**
- Chaos tests for production readiness
- Can be parallelized with other work
---
## Alignment with Stella Ops Vision
| Advisory Proposal | Stella Ops Principle | Alignment |
|-------------------|---------------------|-----------|
| SBOM Lineage Graph | Explainability | HIGH - "proof into explorable UX" |
| Hover-to-proof | Evidence-first | HIGH - every claim has evidence |
| Golden fixtures | Determinism | HIGH - byte-identical outputs |
| Replay bundles | Offline-first | HIGH - air-gap verification |
| Backport detection | Distro-aware | HIGH - reduces false positives |
| Lattice truth tables | VEX-first decisioning | HIGH - validates core algorithm |
| Chaos tests | Production readiness | MEDIUM - operational quality |
---
## What NOT to Implement
The advisory proposes some elements that **already exist** or are **out of scope**:
1. **Determinism harness** - Already exists as `StellaOps.Testing.Determinism/`
2. **Canonical JSON** - Already implemented across the codebase
3. **Feed parsers** - Concelier connectors already parse NVD/GHSA/OSV
4. **Merge algorithm** - VexLens already implements the lattice
---
## Success Metrics
After implementing the recommended sprints:
| Metric | Target |
|--------|--------|
| VexLens truth table coverage | 100% of merge scenarios |
| SBOM lineage API availability | Production |
| E2E replay verification | Pass on 3 platforms (Ubuntu, Alpine, Debian) |
| Scheduler chaos test coverage | Crash recovery, backpressure, idempotency |
| Fixture manifest coverage | All test fixtures have `meta.json` |
| Backport detection accuracy | >90% on Debian/Alpine packages |
---
## Related Documentation
- `docs/modules/sbomservice/lineage/architecture.md`
- `docs/modules/vex-lens/architecture.md`
- `docs/modules/feedser/architecture.md`
- `docs/modules/replay/architecture.md`
- `src/__Tests/AGENTS.md`
## Created Sprints
- `docs/implplan/SPRINT_20251229_004_001_LIB_fixture_harvester.md`
- `docs/implplan/SPRINT_20251229_004_002_BE_backport_status_service.md`
- `docs/implplan/SPRINT_20251229_004_003_BE_vexlens_truth_tables.md`
- `docs/implplan/SPRINT_20251229_004_004_BE_scheduler_resilience.md`
- `docs/implplan/SPRINT_20251229_004_005_E2E_replayable_verdict.md`

133
docs/product-advisories/archived/2025-12-29_deterministic_verdicts_and_sbom_lineage.md Normal file
View File

@@ -0,0 +1,133 @@
# Advisory Analysis: Deterministic Verdicts (CGS) & SBOM Lineage Graph
**Advisory Date:** 2025-12-29
**Status:** ANALYZED - Superseded by Existing Consolidations
**Strategic Value:** HIGH
**Implementation Effort:** MEDIUM (gaps only)
---
## Executive Summary
This advisory proposes:
1. **SBOM Lineage Graph** - Git-like visualization with hover-to-proof micro-interactions
2. **Canonical Graph Signature (CGS)** - Deterministic, replayable verdicts
3. **Proof Studio UX** - Explainable confidence scoring
**Verdict:** The advisory validates StellaOps' existing architecture direction. **~90% is already implemented.** The remaining work is minor integration, not invention.
**Revision Note (2025-12-29):** Deeper exploration revealed the frontend is more complete than initially assessed:
- 41 TypeScript files in lineage feature
- 31 visualization components already exist
- Proof tree, hover cards, compare mode, diff views all implemented
- Frontend sprints revised to minor integration tasks
---
## Prior Art (Already Consolidated)
| Advisory Concept | Existing Document | Status |
|-----------------|-------------------|--------|
| SBOM Lineage Graph | `ADVISORY_SBOM_LINEAGE_GRAPH.md` | 70% backend |
| Deterministic Verdicts | `CONSOLIDATED - Deterministic Evidence and Verdict Architecture.md` | 85% complete |
| Diff-Aware Gates | `CONSOLIDATED - Diff-Aware Release Gates and Risk Budgets.md` | 75% complete |
---
## What's Already Implemented
### ✅ Complete
| Component | Location |
|-----------|----------|
| Canonical JSON (RFC 8785 JCS) | `StellaOps.Canonical.Json` |
| NFC String Normalization | `StellaOps.Resolver.NfcStringNormalizer` |
| Content-Addressed IDs | `Attestor.ProofChain/Identifiers/` |
| DSSE Signing | `Signer/`, `Attestor/` |
| Merkle Trees | `ProofChain/Merkle/DeterministicMerkleTreeBuilder` |
| Determinism Guards | `Policy.Engine/DeterminismGuard/` |
| Replay Manifest | `StellaOps.Replay.Core` |
| Evidence Sealing | `EvidenceLocker.Core` |
| VEX Trust Lattice | `VexLens/OpenVexStatementMerger` |
| Delta Verdicts | `Policy/Deltas/DeltaVerdict.cs` |
| Rekor Verification | `Attestor.Core/Verification/` |
| SBOM Ledger with Lineage | `SbomService/SbomLedgerService` |
### 🔄 Gaps Identified
| Gap | Sprint |
|-----|--------|
| Unified VerdictBuilder service | SPRINT_20251229_001_001_BE |
| `POST /verdicts/build` API | SPRINT_20251229_001_001_BE |
| Fulcio keyless signing wiring | SPRINT_20251229_001_001_BE |
| `policy.lock.json` generator | SPRINT_20251229_001_001_BE |
| VEX delta table migration | SPRINT_20251229_001_002_BE |
| SBOM-verdict link table | SPRINT_20251229_001_002_BE |
| VexLens PostgreSQL backend | SPRINT_20251229_001_002_BE |
| Lineage Graph UI component | SPRINT_20251229_001_003_FE |
| Hover card micro-interactions | SPRINT_20251229_001_003_FE |
| Proof Studio UI | SPRINT_20251229_001_004_FE |
| What-if confidence slider | SPRINT_20251229_001_004_FE |
---
## Created Sprints
1. `SPRINT_20251229_001_001_BE_cgs_infrastructure.md` - VerdictBuilder, APIs, Fulcio
2. `SPRINT_20251229_001_002_BE_vex_delta.md` - Database migrations
3. `SPRINT_20251229_001_003_FE_lineage_graph.md` - Graph visualization
4. `SPRINT_20251229_001_004_FE_proof_studio.md` - Explainability UX
---
## Recommendation
**Archive this advisory** as a validation of architecture direction. Reference existing consolidated documents for implementation. Execute the gap-focused sprints above.
---
## Original Advisory Content
The original advisory proposed:
### Canonical Graph Signature (CGS)
> Turn all inputs into a graph (nodes: packages, files, build steps, attestations; edges: depends-on, produced-by), serialize canonically, then hash. **Rule:** `same inputs (bytes + rule set + policy versions) → same CGS → same verdict`.
**StellaOps Status:** Implemented via `ProofChain/Merkle/DeterministicMerkleTreeBuilder` + content-addressed IDs.
### Canonicalization Rules
> - Sort all collections (lexicographic, locale-independent)
> - Normalize IDs (PURL casing, semver normalization)
> - Stable timestamps: truncated ISO8601Z or logical time
> - No environmental entropy
**StellaOps Status:** Implemented via `Rfc8785JsonCanonicalizer`, `NfcStringNormalizer`, Policy determinism guards.
### API Surface
> - `POST /verdicts/build`
> - `GET /verdicts/{cgs_hash}`
> - `POST /verdicts/diff`
**StellaOps Status:** Gap - needs VerdictBuilder service composition.
### Rollout Phases
> 1. Canonicalize & Hash ✅
> 2. CGS & Deterministic Engine ✅
> 3. Signed Verdicts (OCI-attach) 🔄
> 4. Diff & Time-travel 🔄
> 5. Confidence & Proof Studio ❌
**StellaOps Status:** Phases 1-2 complete, 3-4 partial, 5 needs frontend.
---
## References
- `docs/product-advisories/archived/CONSOLIDATED - Deterministic Evidence and Verdict Architecture.md`
- `docs/product-advisories/archived/CONSOLIDATED - Diff-Aware Release Gates and Risk Budgets.md`
- `docs/product-advisories/archived/ADVISORY_SBOM_LINEAGE_GRAPH.md`
- `docs/modules/attestor/architecture.md` (ProofChain section)
- `docs/modules/policy/architecture.md` (Determinism section)
- `docs/modules/sbomservice/lineage/architecture.md`
- `docs/modules/replay/architecture.md`

247
docs/product-advisories/archived/ANALYSIS_20251229_lineage_crossdistro_gap.md Normal file
View File

@@ -0,0 +1,247 @@
# Gap Analysis: SBOM Lineage Graph & Cross-Distro Vulnerability Intelligence
> **Analysis Date:** 2025-12-29
> **Advisory Source:** Product advisory proposing SBOM Lineage visualization and cross-distro CSAF/VEX unification
> **Conclusion:** Advisory significantly underestimates existing implementation. ~85% already complete. Proceed with targeted sprints.
---
## Executive Summary
The product advisory proposed two major features:
1. **SBOM Lineage Graph** - Git-like visualization of container image ancestry with hover-to-proof micro-interactions
2. **Cross-Distro Vulnerability Intelligence** - Unified CSAF/VEX ingestion across Linux distributions
**Key Finding:** Both features are substantially implemented. The advisory dramatically underestimates existing capability.
| Feature Area | Advisory Implied | Actual Status | Gap |
|--------------|------------------|---------------|-----|
| Lineage Architecture | New design needed | 100% documented | None |
| Lineage UI Components | Build from scratch | ~80% complete (41 files) | API wiring |
| Version Comparators | Need all new | 100% complete | None |
| Distro Connectors | Need 5+ connectors | 5/6 complete | Astra only |
| Patch Fingerprinting | New capability | 100% complete | None |
| Trust Lattice | New framework | 100% complete | None |
| Proposed UAS Schema | Adopt schema | **SKIP** | Existing model superior |
**Recommendation:** Execute 3 targeted sprints (~34 tasks) instead of ~50+ implied by advisory.
---
## Detailed Gap Analysis
### 1. SBOM Lineage Graph
#### Architecture (docs/modules/sbomservice/lineage/architecture.md)
| Component | Status | Evidence |
|-----------|--------|----------|
| DAG data model | ✅ Complete | `LineageNode`, `LineageEdge` records defined |
| Edge types (parent/build/base) | ✅ Complete | `LineageRelationship` enum with 3 types |
| Node badges (vulns/signature) | ✅ Complete | Badge structure in architecture |
| Replay hash integration | ✅ Complete | `replayHash` field on nodes |
| API contracts | ✅ Documented | 3 endpoints fully specified |
| Database schema | ✅ Designed | 3 tables with indexes |
| Caching strategy | ✅ Designed | Valkey keys with TTLs |
| Determinism rules | ✅ Specified | Ordering rules documented |
**Gap:** API endpoints not implemented. Database tables not migrated.
#### UI Components (src/Web/StellaOps.Web/src/app/features/lineage/)
| Component | Files | Status |
|-----------|-------|--------|
| Main graph visualization | `lineage-graph.component.ts` | ✅ 1000+ LOC |
| Hover cards | `lineage-hover-card.component.ts` | ✅ Complete |
| SBOM diff display | `lineage-sbom-diff.component.ts` | ✅ Complete |
| VEX diff display | `lineage-vex-diff.component.ts` | ✅ Complete |
| Compare panel | `lineage-compare-panel.component.ts` | ✅ Complete |
| Services | `lineage.service.ts` | ⚠️ Stubs only |
**Gap:** Services use mock data. Need API wiring.
### 2. Cross-Distro Vulnerability Intelligence
#### Advisory Connectors (src/Concelier/__Connectors/)
| Distro | Connector | Version Comparator | Status |
|--------|-----------|-------------------|--------|
| Red Hat | `StellaOps.Concelier.Connector.RedHat` | rpm NEVRA | ✅ Complete |
| SUSE | `StellaOps.Concelier.Connector.Suse` | rpm NEVRA | ✅ Complete |
| Ubuntu | `StellaOps.Concelier.Connector.Ubuntu` | dpkg EVR | ✅ Complete |
| Debian | `StellaOps.Concelier.Connector.Debian` | dpkg EVR | ✅ Complete |
| Alpine | `StellaOps.Concelier.Connector.Alpine` | apk -r<pkgrel> | ✅ Complete |
| **Astra Linux** | None | dpkg EVR (inherit) | ❌ **Gap** |
#### Version Comparators (src/__Libraries/StellaOps.VersionComparison/)
| Comparator | Location | Status |
|------------|----------|--------|
| `RpmVersionComparer` | `Comparers/RpmVersionComparer.cs` | ✅ Complete |
| `DebianVersionComparer` | `Comparers/DebianVersionComparer.cs` | ✅ Complete |
| `ApkVersionComparer` | `src/Concelier/__Libraries/.../ApkVersionComparer.cs` | ✅ Complete |
| `SemVerComparer` | `Comparers/SemVerComparer.cs` | ✅ Complete |
**Gap:** None. All version comparators implemented.
#### Patch Fingerprinting (Feedser)
| Component | Location | Status |
|-----------|----------|--------|
| HunkSig extractor | `src/Feedser/StellaOps.Feedser.Core/HunkSigExtractor.cs` | ✅ Complete |
| Binary fingerprinting | `src/Feedser/StellaOps.Feedser.BinaryAnalysis/` | ✅ Complete |
| TLSH fuzzy hashing | `Fingerprinters/SimplifiedTlshFingerprinter.cs` | ✅ Complete |
| Instruction hash | `Fingerprinters/InstructionHashFingerprinter.cs` | ✅ Complete |
**Gap:** None. Four-tier evidence system fully implemented.
#### Trust Lattice (VexLens)
| Component | Status | Evidence |
|-----------|--------|----------|
| 3-component trust vector | ✅ Complete | Provenance/Coverage/Replayability |
| Lattice join semantics | ✅ Complete | `unknown < under_investigation < ...` |
| Weighted scoring | ✅ Complete | Configurable weights in consensus |
| Issuer trust profiles | ✅ Complete | IssuerDirectory integration |
**Gap:** None. Trust framework fully implemented.
### 3. Proposed UAS Schema - **RECOMMENDATION: SKIP**
The advisory proposed a "Unified Advisory Schema" (UAS). Analysis shows this should be **skipped**:
| Aspect | Proposed UAS | Existing Model | Decision |
|--------|--------------|----------------|----------|
| Conflict handling | Silent merge | Link-Not-Merge (preserves conflicts) | **Existing superior** |
| Trust modeling | Single score | 3-component vector | **Existing superior** |
| Evidence provenance | Lost in merge | AdvisoryLinkset preserves | **Existing superior** |
| AOC compliance | Unknown | Append-Only Contract enforced | **Existing superior** |
The existing `AdvisoryObservation` + `AdvisoryLinkset` model with Link-Not-Merge semantics is architecturally superior. UAS would require significant regression.
---
## Sprint Execution Plan
### Sprint Dependency Graph
```
┌─────────────────────────────────────────────────────────────┐
│ │
│ SPRINT_20251229_005_001_BE_sbom_lineage_api │
│ (13 tasks) │
│ - Database migrations │
│ - Repository implementations │
│ - API endpoints │
│ - Caching layer │
│ │
└──────────────────────────┬──────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ │
│ SPRINT_20251229_005_003_FE_lineage_ui_wiring │
│ (9 tasks) │
│ - Service API calls │
│ - Component data binding │
│ - Error/loading states │
│ - E2E tests │
│ │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ │
│ SPRINT_20251229_005_002_CONCEL_astra_connector │
│ (12 tasks) - INDEPENDENT │
│ - Research advisory format │
│ - Connector implementation │
│ - Version matcher (dpkg EVR) │
│ - Integration tests │
│ │
└─────────────────────────────────────────────────────────────┘
```
### Task Summary
| Sprint | Module | Tasks | Effort Estimate |
|--------|--------|-------|-----------------|
| 005_001 | BE (SbomService) | 13 | Medium |
| 005_002 | CONCEL (Concelier) | 12 | Medium-High (research required) |
| 005_003 | FE (Web) | 9 | Low-Medium |
| **Total** | | **34** | |
### Critical Path
1. **BE API (005_001)** must complete before **FE Wiring (005_003)**
2. **Astra Connector (005_002)** is independent - can run in parallel
3. No blocking dependencies on existing CGS infrastructure sprint (005_001_001)
---
## Architecture Decisions
### Confirmed Decisions (No Change Needed)
| ID | Decision | Rationale |
|----|----------|-----------|
| AD-001 | Link-Not-Merge for advisories | Preserves conflict evidence |
| AD-002 | 3-component trust vector | Superior to single score |
| AD-003 | Deterministic JSON serialization | Enables replay verification |
| AD-004 | Valkey for hover cache | Matches existing infrastructure |
| AD-005 | dpkg EVR for Astra | Astra is Debian-based |
### Pending Decisions
| ID | Decision | Owner | Deadline |
|----|----------|-------|----------|
| PD-001 | Astra advisory feed format | Research in Sprint 005_002 | Before ASTRA-002 |
| PD-002 | Evidence pack size limit | Product | Before LIN-010 |
| PD-003 | Astra air-gap bundle strategy | Operations | Before ASTRA-007 |
---
## Risk Assessment
| Risk | Probability | Impact | Mitigation |
|------|------------|--------|------------|
| Astra feed unavailable or undocumented | Medium | High | Contact Astra directly; fall back to manual advisory import |
| UI components need significant refactoring | Low | Medium | Components are well-structured; only service layer changes |
| Backend API performance under load | Low | Medium | Caching strategy designed; load test before production |
| Database migration conflicts | Low | Low | Migrations are additive only |
---
## Appendix: Evidence Locations
### Documentation
- `docs/modules/sbomservice/lineage/architecture.md` - Lineage architecture
- `docs/modules/concelier/architecture.md` - Advisory ingestion
- `docs/modules/feedser/architecture.md` - Patch fingerprinting
- `docs/modules/vex-lens/architecture.md` - Trust lattice
### Code
- `src/Web/StellaOps.Web/src/app/features/lineage/` - UI components (41 files)
- `src/Concelier/__Connectors/` - Advisory connectors (5 implemented)
- `src/__Libraries/StellaOps.VersionComparison/` - Version comparators
- `src/Feedser/` - Patch signature extraction
### Sprints Created
- `docs/implplan/SPRINT_20251229_005_001_BE_sbom_lineage_api.md`
- `docs/implplan/SPRINT_20251229_005_002_CONCEL_astra_connector.md`
- `docs/implplan/SPRINT_20251229_005_003_FE_lineage_ui_wiring.md`
---
## Conclusion
The product advisory is **valuable for prioritization** but significantly underestimates existing implementation maturity. The StellaOps codebase already contains:
- Complete architecture documentation for SBOM Lineage
- ~80% complete UI implementation
- 5 of 6 distro connectors fully implemented
- All version comparators implemented
- Complete patch fingerprinting and trust frameworks
**Recommended Action:** Execute the 3 targeted sprints totaling 34 tasks. Skip the proposed UAS schema in favor of the existing superior model. The only significant new development is the Astra Linux connector.