stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Add unit tests for SBOM ingestion and transformation
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Implement `SbomIngestServiceCollectionExtensionsTests` to verify the SBOM ingestion pipeline exports snapshots correctly.
- Create `SbomIngestTransformerTests` to ensure the transformation produces expected nodes and edges, including deduplication of license nodes and normalization of timestamps.
- Add `SbomSnapshotExporterTests` to test the export functionality for manifest, adjacency, nodes, and edges.
- Introduce `VexOverlayTransformerTests` to validate the transformation of VEX nodes and edges.
- Set up project file for the test project with necessary dependencies and configurations.
- Include JSON fixture files for testing purposes.
This commit is contained in:
master
2025-11-04 07:49:39 +02:00
parent f72c5c513a
commit 2eb6852d34
491 changed files with 39445 additions and 3917 deletions
Download Patch File Download Diff File Expand all files Collapse all files

129
src/Attestor/StellaOps.Attestor.Types/fixtures/v1/build-provenance.sample.json
View File

@@ -1,107 +1,44 @@
{
"schemaVersion": "1.0.0",
"predicateType": "StellaOps.BuildProvenance@1",
"subject": [
{
"subjectKind": "container-image",
"name": "registry.stella-ops.internal/scan/api",
"digest": {
"sha256": "5f4d4b1e9c2f3a1d7a4e5b6c7d8e9f00112233445566778899aabbccddeeff00"
},
"imageDigest": "sha256:5f4d4b1e9c2f3a1d7a4e5b6c7d8e9f00112233445566778899aabbccddeeff00",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json"
}
],
"issuer": {
"issuerType": "service",
"id": "urn:stellaops:svc:builder",
"tenantId": "tenant-alpha",
"displayName": "StellaOps Build Service",
"workload": {
"service": "builder-web",
"cluster": "prod-us-east",
"namespace": "build-system"
},
"signingKey": {
"keyId": "builder-key-01",
"mode": "kms",
"algorithm": "ed25519",
"issuer": "vault.kms.internal"
}
"schemaVersion": "StellaOps.BuildProvenance@1",
"buildType": "stellaops:buildkit@v1",
"builder": {
"id": "urn:stellaops:builder:buildkit",
"version": "1.9.2",
"platform": "linux/amd64"
},
"issuedAt": "2025-10-31T18:21:04Z",
"materials": [
{
"uri": "git+https://git.stella-ops.org/scanner.git@refs/heads/main",
"digest": {
"sha1": "a1b2c3d4e5f6a7b8c9d00112233445566778899a"
},
"role": "source"
"digests": [
{
"algorithm": "sha256",
"value": "a1b2c3d4e5f6a7b8c9d0e1f234567890aabbccddeeff11223344556677889900"
}
],
"note": "Source repository commit"
},
{
"uri": "oci://registry.stella-ops.internal/base/node:20-bullseye",
"digest": {
"sha256": "ab40d8d0734c28f3b60df1e6a4ed3f2c1b5d7e9f0a1b2c3d4e5f66778899aabb"
},
"role": "base-image"
}
],
"transparency": [
{
"logId": "rekor-primary",
"logUrl": "https://rekor.stella-ops.internal",
"uuid": "cb2a6f2e-353e-4a62-8504-18f741fa0010",
"index": 128943,
"checkpoint": {
"origin": "rekor-primary",
"size": 155000,
"rootHash": "3rJcAM1b9x1Pcjwo8y9zKg2v1nX8/oe3mY4HhE2bY0g=",
"timestamp": "2025-10-31T18:21:06Z"
},
"witnessed": true
}
],
"build": {
"buildType": "stellaops:buildkit@v1",
"builder": {
"id": "urn:stellaops:builder:buildkit",
"version": "1.9.2",
"displayName": "BuildKit Runner"
},
"invocation": {
"configSource": {
"uri": "git+https://git.stella-ops.org/scanner.git//.stella/build.yaml",
"digest": {
"sha256": "1f7e26d668d9fd6bae1a5d0a7a27bf3cdf8b4dd0d9775ad911e6cef0e1edf1d2"
"digests": [
{
"algorithm": "sha256",
"value": "ab40d8d0734c28f3b60df1e6a4ed3f2c1b5d7e9f0a1b2c3d4e5f66778899aabb"
}
},
"parameters": {
"target": "release",
"platform": "linux/amd64"
},
"environment": {
"GIT_SHA": "9f3e7ad1",
"CI_PIPELINE_ID": "build-2045"
},
"entryPoint": "ci/scripts/build-image.sh"
},
"metadata": {
"startedAt": "2025-10-31T18:19:11Z",
"finishedAt": "2025-10-31T18:20:52Z",
"reproducible": true,
"buildDurationSeconds": 101
},
"outputs": [
{
"subjectKind": "artifact",
"name": "dist/scanner-api.tar",
"digest": {
"sha256": "cfe4b9b77b4a90d63ba6c2e5b40e6d9b9724f9a3e0d5b6c7f8e9d0a1b2c3d4e5"
},
"mediaType": "application/x-tar",
"sizeBytes": 31457280
}
]
],
"note": "Base image"
}
],
"metadata": {
"buildStartedOn": "2025-10-31T18:19:11Z",
"buildFinishedOn": "2025-10-31T18:20:52Z",
"reproducible": true,
"buildInvocationId": "build-2045"
},
"slsaLevel": "slsa3.0"
"environment": {
"platform": "linux/amd64",
"imageDigest": {
"algorithm": "sha256",
"value": "5f4d4b1e9c2f3a1d7a4e5b6c7d8e9f00112233445566778899aabbccddeeff00"
}
}
}

55
src/Attestor/StellaOps.Attestor.Types/fixtures/v1/custom-evidence.sample.json
View File

@@ -1,39 +1,24 @@
{
"schemaVersion": "1.0.0",
"predicateType": "StellaOps.CustomEvidence@1",
"subject": [
"schemaVersion": "StellaOps.CustomEvidence@1",
"subjectDigest": "sha256:d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6a79876543210fedcba9876543210fedcba",
"kind": "runtime-manual-review",
"generatedAt": "2025-10-31T05:32:28Z",
"properties": [
{
"subjectKind": "artifact",
"name": "registry.stella-ops.internal/runtime/api@sha256:d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6a79876543210fedcba9876543210fedcba",
"digest": {
"sha256": "f3b4c5d6e7f8091a2b3c4d5e6f708192a3b4c5d6e7f8091a2b3c4d5e6f708192"
}
}
],
"issuer": {
"issuerType": "automation",
"id": "urn:stellaops:automation:evidence-uploader",
"tenantId": "tenant-alpha",
"signingKey": {
"keyId": "automation-key-17",
"mode": "offline",
"algorithm": "ed25519"
}
},
"issuedAt": "2025-10-31T05:32:28Z",
"customSchema": {
"uri": "https://schemas.stella-ops.org/custom/runtime-evidence/v1.json",
"digest": {
"sha256": "aa11bb22cc33dd44ee55ff66aa77bb88cc99ddeeff0011223344556677889900"
"key": "control_id",
"value": "OPS-RUN-102"
},
"version": "1.0"
},
"payload": {
"controlId": "OPS-RUN-102",
"controlStatus": "passed",
"auditedBy": "auditor@example.org",
"evidenceUri": "s3://compliance-artifacts/runtime/api/2025-10-31/report.pdf",
"notes": "Manual security review completed for release 3.14.0."
},
"notes": "Custom evidence uploaded by compliance automation workflow."
{
"key": "audited_by",
"value": "auditor@example.org"
},
{
"key": "evidence_uri",
"value": "s3://compliance-artifacts/runtime/api/2025-10-31/report.pdf"
},
{
"key": "notes",
"value": "Manual security review completed for release 3.14.0."
}
]
}

87
src/Attestor/StellaOps.Attestor.Types/fixtures/v1/policy-evaluation.sample.json
View File

@@ -1,77 +1,22 @@
{
"schemaVersion": "1.0.0",
"predicateType": "StellaOps.PolicyEvaluation@1",
"subject": [
"schemaVersion": "StellaOps.PolicyEvaluation@1",
"subjectDigest": "sha256:5f4d4b1e9c2f3a1d7a4e5b6c7d8e9f00112233445566778899aabbccddeeff00",
"policyVersion": "2025.10.1",
"evaluatedAt": "2025-10-31T02:44:09Z",
"outcome": "fail",
"decisions": [
{
"subjectKind": "policy-report",
"name": "policy-eval/runtime-api@sha256:5f4d4b1e9c2f3a1d7a4e5b6c7d8e9f00112233445566778899aabbccddeeff00",
"digest": {
"sha256": "21f4b8d7c6e5a4f3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0a9"
}
}
],
"issuer": {
"issuerType": "service",
"id": "urn:stellaops:svc:policy-engine",
"tenantId": "tenant-alpha",
"signingKey": {
"keyId": "policy-engine-key",
"mode": "hsm",
"algorithm": "ed25519",
"issuer": "yubi-hsm"
}
},
"issuedAt": "2025-10-31T02:44:09Z",
"policy": {
"policyId": "runtime-enforce",
"policyVersion": "2025.10.1",
"revisionDigest": {
"sha256": "aa55bb66cc77dd88ee99ff00112233445566778899aabbccddeeff0011223344"
},
"mode": "enforce"
},
"result": {
"status": "fail",
"summary": "Policy runtime-enforce failed: 1 blocking rule violation.",
"violations": [
{
"ruleId": "RULE-RUNTIME-001",
"severity": "high",
"message": "Critical KEV vulnerabilities detected without waiver.",
"evidence": [
{
"type": "scan",
"id": "CVE-2025-10001"
}
],
"suggestedRemediation": "Apply patched base image or configure approved waiver."
}
],
"waiversApplied": [
"WAIVER-LICENSE-123"
]
},
"explain": [
{
"id": "trace-node-1",
"type": "rule",
"message": "Evaluated RULE-RUNTIME-001 on scan results"
"policyId": "runtime-enforce",
"ruleId": "RULE-RUNTIME-001",
"effect": "deny",
"reason": "Critical KEV vulnerabilities detected without waiver.",
"remediation": "Patch OpenSSL or apply approved waiver."
},
{
"id": "trace-node-1.1",
"type": "binding",
"message": "Matched vulnerability CVE-2025-10001 with severity critical"
"policyId": "runtime-enforce",
"ruleId": "RULE-LICENSE-123",
"effect": "allow",
"reason": "License waiver applied (WAIVER-LICENSE-123)."
}
],
"metrics": {
"rulesEvaluated": 12,
"rulesPassed": 11,
"rulesFailed": 1,
"evaluationDurationMs": 84
},
"policyContext": {
"policyId": "runtime-enforce",
"policyVersion": "2025.10.1",
"mode": "enforce"
}
]
}

78
src/Attestor/StellaOps.Attestor.Types/fixtures/v1/risk-profile-evidence.sample.json
View File

@@ -1,68 +1,24 @@
{
"schemaVersion": "1.0.0",
"predicateType": "StellaOps.RiskProfileEvidence@1",
"subject": [
"schemaVersion": "StellaOps.RiskProfileEvidence@1",
"subjectDigest": "sha256:d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6a79876543210fedcba9876543210fedcba",
"generatedAt": "2025-10-31T04:00:00Z",
"riskScore": 62.0,
"riskLevel": "high",
"factors": [
{
"subjectKind": "risk-profile",
"name": "runtime-api@sha256:d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6a79876543210fedcba9876543210fedcba",
"digest": {
"sha256": "f3c2b1a0e9d8c7b6a5f4e3d2c1b0a9876543210fedcba9876543210fedcba987"
}
}
],
"issuer": {
"issuerType": "service",
"id": "urn:stellaops:svc:risk-engine",
"tenantId": "tenant-alpha",
"signingKey": {
"keyId": "risk-engine-key",
"mode": "kms",
"algorithm": "ed25519"
}
},
"issuedAt": "2025-10-31T04:00:00Z",
"window": {
"startedAt": "2025-10-30T04:00:00Z",
"endedAt": "2025-10-31T04:00:00Z"
},
"riskScores": {
"overall": 0.62,
"exploitability": 0.74,
"impact": 0.51,
"epss98Percentile": 0.92,
"kevCount": 1
},
"exposure": {
"internetFacing": true,
"runtimeEnforced": false,
"criticality": "mission-critical",
"deployments": 48
},
"controls": {
"sbomAttested": true,
"vexCoverage": "partial",
"policyStatus": "fail",
"lastPolicyEvaluation": "2025-10-31T02:44:09Z"
},
"findings": [
{
"category": "vulnerability",
"severity": "critical",
"summary": "KEV-listed OpenSSL vulnerability present without compensating control.",
"detail": "CVE-2025-10001 remained open in production deployments for >24h.",
"evidence": [
"scan:CVE-2025-10001",
"policy:RULE-RUNTIME-001"
]
"name": "kev_vulnerabilities",
"weight": 0.35,
"description": "OpenSSL KEV vulnerability unresolved for >24h."
},
{
"category": "runtime",
"severity": "medium",
"summary": "No runtime admission control for critical namespaces.",
"detail": "Zastava webhook disabled on cluster prod-us-east due to maintenance.",
"evidence": [
"zastava:event:2025-10-30T21:41Z"
]
"name": "runtime_controls",
"weight": 0.25,
"description": "Admission control disabled on prod-us-east cluster."
},
{
"name": "internet_exposure",
"weight": 0.20,
"description": "Service exposed to the internet via public load balancer."
}
]
}

97
src/Attestor/StellaOps.Attestor.Types/fixtures/v1/sbom-attestation.sample.json
View File

@@ -1,80 +1,27 @@
{
"schemaVersion": "1.0.0",
"predicateType": "StellaOps.SBOMAttestation@1",
"subject": [
"schemaVersion": "StellaOps.SBOMAttestation@1",
"subjectDigest": "sha256:4d7c3a1b2f9e0d6c5b4a3f2e1d0c9b8a7766554433221100ffaabbccddeeff12",
"sbomFormat": "CycloneDX-1.6",
"sbomDigest": {
"algorithm": "sha256",
"value": "9a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b"
},
"sbomUri": "cas://sbom/blobs/9a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b",
"componentCount": 215,
"packages": [
{
"subjectKind": "container-image",
"name": "registry.stella-ops.internal/policy/engine",
"digest": {
"sha256": "4d7c3a1b2f9e0d6c5b4a3f2e1d0c9b8a7766554433221100ffaabbccddeeff12"
},
"imageDigest": "sha256:4d7c3a1b2f9e0d6c5b4a3f2e1d0c9b8a7766554433221100ffaabbccddeeff12"
}
],
"issuer": {
"issuerType": "service",
"id": "urn:stellaops:svc:scanner",
"tenantId": "tenant-alpha",
"signingKey": {
"keyId": "scanner-key-01",
"mode": "keyless",
"algorithm": "ecdsa-p256",
"issuer": "fulcio.internal",
"certificateChain": [
"-----BEGIN CERTIFICATE-----MIIB...==-----END CERTIFICATE-----"
"purl": "pkg:rpm/redhat/openssl@3.0.12-3.el9",
"version": "3.0.12-3.el9",
"licenses": [
"OpenSSL"
]
},
{
"purl": "pkg:npm/lodash@4.17.21",
"version": "4.17.21",
"licenses": [
"MIT"
]
}
},
"issuedAt": "2025-10-30T14:05:18Z",
"materials": [
{
"uri": "oci://registry.stella-ops.internal/scanner/sbom-indexer@sha256:1122aa55bb66cc77dd88ee99ff00112233445566778899aabbccddeeff001122",
"role": "scanner-runtime"
}
],
"transparency": [
{
"logId": "rekor-primary",
"logUrl": "https://rekor.stella-ops.internal",
"uuid": "11111111-2222-3333-4444-555555555555",
"index": 567890
}
],
"sbom": {
"format": "cyclonedx-json",
"specVersion": "1.6",
"digest": {
"sha256": "9a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b"
},
"contentUri": "cas://sbom/blobs/9a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b",
"contentMediaType": "application/vnd.cyclonedx+json;version=1.6",
"sizeBytes": 48213,
"descriptor": {
"bomRef": "urn:uuid:fa8706c2-2d3e-4e74-bc3e-337ca0fdf2f7",
"componentName": "policy-engine",
"componentVersion": "1.12.0"
},
"componentCounts": {
"packages": 215,
"dependencies": 214,
"services": 0,
"vulnerabilities": 14
}
},
"coverage": {
"layers": [
"sha256:aa11bb22cc33dd44ee55ff66aa77bb88cc99ddeeff00112233445566778899aa",
"sha256:bb22cc33dd44ee55ff66aa77bb88cc99ddeeff00112233445566778899aabbcc"
],
"packagesIncluded": true,
"licenseScanEnabled": true
},
"generator": {
"name": "StellaOps Scanner",
"version": "2.4.3",
"buildId": "scanner-build-8897",
"configurationDigest": {
"sha256": "abc1239f7e6d5c4b3a29181706f5e4d3c2b1a0f99887766554433221100ffeedd"
}
}
]
}

137
src/Attestor/StellaOps.Attestor.Types/fixtures/v1/scan-results.sample.json
View File

@@ -1,126 +1,39 @@
{
"schemaVersion": "1.0.0",
"predicateType": "StellaOps.ScanResults@1",
"subject": [
{
"subjectKind": "scan-report",
"name": "registry.stella-ops.internal/runtime/api@sha256:d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6a79876543210fedcba9876543210fedcba",
"digest": {
"sha256": "deafbeefdeafbeefdeafbeefdeafbeefdeafbeefdeafbeefdeafbeefdeafbeef"
},
"imageDigest": "sha256:d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6a79876543210fedcba9876543210fedcba"
}
],
"issuer": {
"issuerType": "service",
"id": "urn:stellaops:svc:scanner.worker",
"tenantId": "tenant-alpha",
"signingKey": {
"keyId": "scanner-worker-key",
"mode": "keyless",
"algorithm": "ed25519",
"issuer": "fulcio.internal"
}
},
"issuedAt": "2025-10-29T06:14:45Z",
"materials": [
{
"uri": "git+https://git.stella-ops.org/runtime/api.git@refs/tags/v3.14.0",
"role": "source"
}
],
"transparency": [
{
"logId": "rekor-primary",
"logUrl": "https://rekor.stella-ops.internal",
"uuid": "33333333-4444-5555-6666-777777777777",
"index": 778899
}
],
"scanner": {
"name": "StellaOps Scanner",
"version": "2.4.3",
"runId": "scan-20251029-0614",
"configurationDigest": {
"sha256": "f1c2d3e4a5b60718293a4b5c6d7e8f90123456789abcdef0123456789abcdef0"
},
"mode": "inventory"
},
"summary": {
"totalFindings": 6,
"newFindings": 2,
"kevFindings": 1,
"fixableFindings": 4,
"severityCounts": {
"critical": 1,
"high": 2,
"medium": 2,
"low": 1,
"informational": 0
}
},
"policyContext": {
"policyId": "default-runtime-policy",
"policyVersion": "42",
"mode": "enforce"
},
"schemaVersion": "StellaOps.ScanResults@1",
"subjectDigest": "sha256:d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6a79876543210fedcba9876543210fedcba",
"scannerName": "StellaOps Scanner",
"scannerVersion": "2.4.3",
"generatedAt": "2025-10-29T06:14:45Z",
"findings": [
{
"vulnerabilityId": "CVE-2025-10001",
"id": "CVE-2025-10001",
"severity": "critical",
"status": "detected",
"kev": true,
"package": {
"name": "openssl",
"version": "3.0.12-3.el9",
"purl": "pkg:rpm/redhat/openssl@3.0.12-3.el9",
"type": "rpm"
},
"fixedVersion": "3.0.13-1.el9",
"introducedIn": "sha256:aa99887766554433221100ffeeddccbbaa99887766554433221100ffeeddccbb",
"evidence": {
"source": "os-packages",
"paths": [
"/usr/lib64/libssl.so.3"
],
"callers": [
"policy-engine"
]
}
"packageName": "openssl",
"packageVersion": "3.0.12-3.el9",
"cvssScore": 9.8,
"description": "OpenSSL key recovery vulnerability present in base image.",
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-10001"
]
},
{
"vulnerabilityId": "GHSA-1234-abcd-5678",
"id": "GHSA-1234-abcd-5678",
"severity": "high",
"status": "detected",
"kev": false,
"package": {
"name": "lodash",
"version": "4.17.21",
"purl": "pkg:npm/lodash@4.17.21",
"type": "npm"
},
"fixedVersion": "4.17.22",
"evidence": {
"source": "application-lockfile",
"paths": [
"/app/package-lock.json"
]
},
"notes": "Used by metrics exporter."
"status": "confirmed",
"packageName": "lodash",
"packageVersion": "4.17.21",
"description": "Lodash prototype pollution issue detected in app dependencies."
},
{
"vulnerabilityId": "CVE-2024-50010",
"id": "CVE-2024-50010",
"severity": "medium",
"status": "remediated",
"kev": false,
"package": {
"name": "glibc",
"version": "2.36-60.el9",
"purl": "pkg:rpm/redhat/glibc@2.36-60.el9",
"type": "rpm"
},
"fixedVersion": "2.36-62.el9",
"notes": "Patched in base image refresh."
"status": "fixed",
"packageName": "glibc",
"packageVersion": "2.36-60.el9",
"references": [
"https://access.redhat.com/errata/RHSA-2024:50010"
]
}
]
}

61
src/Attestor/StellaOps.Attestor.Types/fixtures/v1/vex-attestation.sample.json
View File

@@ -1,72 +1,23 @@
{
"schemaVersion": "1.0.0",
"predicateType": "StellaOps.VEXAttestation@1",
"subject": [
{
"subjectKind": "vex-statement",
"name": "registry.stella-ops.internal/runtime/api@sha256:d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6a79876543210fedcba9876543210fedcba",
"digest": {
"sha256": "8f6e5d4c3b2a190817263544554433221100ffeeddaabbccddeeff0011223344"
}
}
],
"issuer": {
"issuerType": "service",
"id": "urn:stellaops:svc:excitor",
"tenantId": "tenant-alpha",
"signingKey": {
"keyId": "vex-service-key",
"mode": "kms",
"algorithm": "ed25519",
"issuer": "kms.attestor.internal"
}
},
"issuedAt": "2025-10-30T09:12:03Z",
"vexStandard": "openvex-1.0",
"generator": {
"name": "StellaOps Excititor",
"version": "1.8.0"
},
"schemaVersion": "StellaOps.VEXAttestation@1",
"subjectDigest": "sha256:d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6a79876543210fedcba9876543210fedcba",
"generatedAt": "2025-10-30T09:12:03Z",
"statements": [
{
"id": "stmt-001",
"vulnerabilityId": "CVE-2025-10001",
"status": "not_affected",
"statementType": "analysis",
"timestamp": "2025-10-30T09:11:40Z",
"justification": "Component not present in the deployed runtime closure.",
"impactStatement": "The affected OpenSSL module is unused by the runtime API image entrypoint chain.",
"products": [
{
"productId": "registry.stella-ops.internal/runtime/api@sha256:d2c3b4...",
"name": "runtime-api",
"version": "3.14.0",
"purl": "pkg:oci/runtime-api@sha256:d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6a79876543210fedcba9876543210fedcba"
}
],
"supplier": {
"name": "StellaOps Runtime Guild",
"id": "urn:stellaops:guild:runtime"
},
"justification": "Component not present in runtime closure.",
"references": [
"https://kb.stella-ops.org/vex/CVE-2025-10001"
]
},
{
"id": "stmt-002",
"vulnerabilityId": "GHSA-1234-abcd-5678",
"status": "affected",
"statementType": "remediation",
"timestamp": "2025-10-30T09:11:55Z",
"impactStatement": "Lodash is present in the telemetry plug-in; exploitation requires UID 0 inside the container.",
"actionStatement": "Upgrade telemetry plug-in to v2.1.5 or apply policy waiver until patch window.",
"products": [
{
"productId": "registry.stella-ops.internal/runtime/api@sha256:d2c3b4...",
"name": "runtime-api",
"version": "3.14.0"
}
],
"impactStatement": "Telemetry plug-in depends on vulnerable lodash version.",
"actionStatement": "Upgrade telemetry plug-in to v2.1.5.",
"references": [
"https://github.com/lodash/lodash/security/advisory"
]

8
src/Attestor/StellaOps.Attestor/TASKS.md
View File

@@ -15,7 +15,8 @@
|----|--------|----------|------------|-------------|---------------|
| ATTESTOR-72-001 | DONE | Attestor Service Guild | ATTEST-ENVELOPE-72-001 | Scaffold service (REST API skeleton, storage interfaces, KMS integration stubs) and DSSE validation pipeline. | Service builds/tests; signing & verification stubs wired; lint/CI green. |
| ATTESTOR-72-002 | DONE | Attestor Service Guild | ATTESTOR-72-001 | Implement attestation store (DB tables, object storage integration), CRUD, and indexing strategies. | Migrations applied; CRUD API functional; storage integration unit tests pass. |
| ATTESTOR-72-003 | BLOCKED | Attestor Service Guild, QA Guild | ATTESTOR-72-002 | Validate attestation store TTL against production-like Mongo/Redis stack; capture logs and remediation plan. | Evidence of TTL expiry captured; report archived in docs/modules/attestor/ttl-validation.md. |
| ATTESTOR-72-003 | DONE (2025-11-03) | Attestor Service Guild, QA Guild | ATTESTOR-72-002 | Validate attestation store TTL against production-like Mongo/Redis stack; capture logs and remediation plan. | Evidence of TTL expiry captured; report archived in docs/modules/attestor/ttl-validation.md. |
> 2025-11-03: Ran TTL validation against locally hosted MongoDB 7.0.5 and Redis 7.2.4 (manual processes). Document expirations captured in `docs/modules/attestor/evidence/2025-11-03-{mongo,redis}-ttl-validation.txt`; summary added to `docs/modules/attestor/ttl-validation.md`.
### Sprint 73 Signing & Verification
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
@@ -38,4 +39,9 @@
| ATTESTOR-75-001 | DONE | Attestor Service Guild, Export Guild | ATTESTOR-74-002, EXPORT-ATTEST-74-001 | Add export/import flows for attestation bundles and offline verification mode. | Bundles generated/imported; offline verification path documented; tests cover missing witness data. |
| ATTESTOR-75-002 | DONE | Attestor Service Guild, Security Guild | ATTESTOR-73-002 | Harden APIs with rate limits, auth scopes, threat model mitigations, and fuzz testing. | Rate limiting enforced; fuzz tests run in CI; threat model actions resolved. |
### Sprint 187 Replay Ledger Integration
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| ATTEST-REPLAY-187-003 | TODO | Attestor Service Guild, Ops Guild | REPLAY-CORE-185-001, SCAN-REPLAY-186-001 | Anchor replay manifests to Rekor, expose verification API responses, and update `docs/modules/attestor/architecture.md` referencing `docs/replay/DETERMINISTIC_REPLAY.md` Section 9. | Rekor anchoring automated; verification endpoints document replay status; docs merged. |
*** End Task Board ***