semi implemented and features implemented save checkpoint

2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
--- a/docs/features/unchecked/scanner/offline-kit-import-and-attestation-verification.md
+++ b/docs/features/unchecked/scanner/offline-kit-import-and-attestation-verification.md
@@ -0,0 +1,37 @@
+# Offline Kit Import and Attestation Verification
+
+## Module
+Scanner
+
+## Status
+IMPLEMENTED
+
+## Description
+Offline kit import service and offline attestation verifier with test coverage in Scanner module, enabling verification of DSSE-signed attestations without network access.
+
+## Implementation Details
+- **Offline Kit Import**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/OfflineKitImportService.cs` - `OfflineKitImportService` imports offline vulnerability data kits
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/OfflineKitManifestService.cs` - `OfflineKitManifestService` manages offline kit manifests
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/OfflineKitContracts.cs` - Contract models for offline kit operations
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/OfflineKitStateStore.cs` - State tracking for imported kits
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/OfflineKitMetricsStore.cs` - Metrics tracking for import operations
+- **Attestation Verification**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/IOfflineAttestationVerifier.cs` - `IOfflineAttestationVerifier` interface for verifying DSSE-signed attestations offline
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/OfflineAttestationVerifier.cs` - `OfflineAttestationVerifier` verifies DSSE signatures without network access using local trust anchors
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/NullOfflineKitAuditEmitter.cs` - Null audit emitter for environments without audit logging
+- **API Endpoints**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/OfflineKitEndpoints.cs` - REST endpoints for importing and managing offline kits
+- **Configuration**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/OfflineKitOptions.cs` - `OfflineKitOptions` configuration model
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/OfflineKitOptionsValidator.cs` - Options validation
+- **Trust Anchors**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/TrustAnchors/TrustAnchorRegistry.cs` - `TrustAnchorRegistry` manages local trust anchors for offline verification
+
+## E2E Test Plan
+- [ ] Import an offline vulnerability kit via the `OfflineKitEndpoints` and verify it is accepted and stored
+- [ ] Verify DSSE-signed attestations within the kit are verified using local trust anchors without network access
+- [ ] Verify import of a tampered kit fails attestation verification
+- [ ] Verify kit manifest service correctly lists available kits and their status
+- [ ] Verify offline kit state tracking records import timestamps and kit versions
+- [ ] Verify the scanner operates correctly with offline kit data as its vulnerability source