stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

feat(excititor+cli+web): VEX provider control plane — CLI + Web extensions (SPRINT_20260422_004)

Browse Source 
Continues the SPRINT_20260422_004_Concelier_full_connector_control_plane
feature stream started in commit 5c1b59580 (Excititor provider management
endpoints + contracts + service + tests). Adds the CLI + Web surfaces on
top of that backend.

CLI (src/Cli/**):
- CommandHandlers + BackendOperationsClient extended with provider
  management calls
- ExcititorProviderSummary model added to the CLI's service models
- NonCoreCliCommandModule wires the new commands; tests updated
- TASKS.md entries synced

Web console (src/Web/StellaOps.Web/**):
- New vex-provider-catalog.component + vex-provider-management.api client
- advisory-source-catalog + advisory-vex-route-helpers extended to route
  users to the new VEX provider surface
- integration-hub.routes.ts registers the new route
- security-disposition-page.component.ts updated for the flow

Excititor/Concelier docs + contracts:
- docs/modules/excititor/operations/provider-control-plane.md — operator
  guide for the new control plane
- docs/modules/excititor/README.md + docs/modules/concelier/{README,
  connectors}.md — cross-links + refs
- ConfiguredAdvisorySourceService.cs — additional provider plumbing
- StellaOps.Excititor.WebService/TASKS.md synced

Sprint doc (docs/implplan/SPRINT_20260422_004_*.md) reflects the
in-flight progress.

This is external-stream work picked up during the 2026-04-22 session's
closeout — bundling it now so the working tree is clean and main stays
in sync with local feature-branch state.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-04-22 19:24:49 +03:00
parent feb1fae5f5
commit 3871732765
20 changed files with 1983 additions and 269 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
docs/modules/concelier/README.md
View File

@@ -1,15 +1,12 @@
# StellaOps Concelier
Concelier ingests signed advisories from **32 advisory connectors** and converts them into immutable observations plus linksets under the Aggregation-Only Contract (AOC).
Concelier maintains a catalog of **78 advisory source definitions** and currently wires **31 built-in runnable advisory pipelines** in the default WebService host. It converts signed advisories into immutable observations plus linksets under the Aggregation-Only Contract (AOC).
**Advisory Sources (32 connectors):**
- **National CERTs (8):** ACSC (Australia), CCCS (Canada), CERT-Bund (Germany), CERT-CC (US), CERT-FR (France), CERT-IN (India), JVN (Japan), KISA (Korea)
- **OS Distros (5):** Alpine SecDB, Debian Security Tracker, RedHat OVAL, SUSE OVAL, Ubuntu USN
- **Vendors (7):** Apple, Adobe, Chromium, Cisco PSIRT, Microsoft MSRC, Oracle, VMware
- **Standards (5):** CVE, NVD, GHSA (GitHub), OSV, EPSS v4
- **Threat Intel (3):** KEV (CISA Exploited Vulns), CISA ICS, Kaspersky ICS
- **Regional (3):** Russia BDU, Russia NKCKI, Plus regional mirrors
- **Internal (1):** StellaOps internal mirror
Current operator references:
- Full advisory inventory and runnable-vs-catalog truth: [`connectors.md`](./connectors.md)
- Stored credential and endpoint override entry paths: [`operations/source-credentials.md`](./operations/source-credentials.md)
- Per-connector runbooks: `./operations/connectors/`
## Responsibilities
- Fetch and normalise vulnerability advisories via restart-time connectors.

367
docs/modules/concelier/connectors.md
View File

@@ -1,265 +1,166 @@
# Concelier Connectors
This index lists Concelier connectors, their status, authentication expectations, and links to operational runbooks. For procedures and alerting, see `docs/modules/concelier/operations/connectors/`.
This index is the authoritative operator-facing inventory for the Concelier advisory source catalog and the linked Excititor VEX provider control plane.
Operator configuration note:
## Current control-plane counts
- Supported advisory source credentials and endpoint overrides can now be supplied through the Web UI or `stella db connectors configure ...`.
- GHSA, Cisco, and Microsoft use operator-supplied credentials through that path.
- Oracle, Adobe, and Chromium use public defaults and only need UI or CLI input when you override or mirror the upstream endpoints.
- See [source-credentials.md](docs/modules/concelier/operations/source-credentials.md).
- Advisory source catalog definitions: `78`
- Advisory sources with built-in runnable fetch pipelines on this host: `31`
- Advisory sources with stored connector configuration exposed through both Web UI and CLI: `6`
- Excititor VEX providers in the provider catalog: `7`
---
Operator entry points:
## Blocked / sleeping readiness state
- Advisory source catalog: `Ops -> Integrations -> Advisory & VEX Sources`
- Advisory source stored configuration: source card -> `Stored Connector Configuration`
- Advisory source CLI path: `stella db connectors configure <source-id>`
- VEX provider catalog: `Ops -> Integrations -> Advisory & VEX Sources -> VEX Providers`
- VEX provider CLI path: `stella excititor list-providers`, `show-provider`, `enable-provider`, `disable-provider`, `run-provider`, `update-provider`
Each advisory source has two independent flags in its status response:
Related docs:
| Field | Meaning |
| --- | --- |
| `enabled` | Persisted operator intent. `true` means "the operator asked for this source to run". Survives restarts, backfills, and connectivity checks. |
| `readiness` | Runtime readiness. One of `ready`, `blocked`, `disabled`, or `unsupported`. Computed live from connector configuration. |
- Stored advisory credentials and endpoint overrides: `docs/modules/concelier/operations/source-credentials.md`
- Excititor provider control plane: `docs/modules/excititor/operations/provider-control-plane.md`
- Connector runbooks: `docs/modules/concelier/operations/connectors/`
The `blocked` state is reserved for **credential-gated or URI-gated sources that are persisted-enabled but missing required configuration**. In this state:
## Readiness model
- `enabled` remains `true` — the operator's intent is preserved across restarts.
- `readiness` (alias `syncState`) is `blocked`.
- `blockedReason` is a free-form human-readable message naming the missing field(s) (for example, `"GitHub Security Advisories requires an API token before sync can run."`).
- `blockingReason` carries the structured diagnostics object: `errorCode = SOURCE_CONFIG_REQUIRED`, `possibleReasons`, and ordered `remediationSteps`.
- The scheduler and the manual `/sync` and `/sync-all` endpoints **short-circuit** — the connector is never invoked, so the operator does not see a generic scheduler failure or a misleading "last run succeeded" state.
Advisory sources and VEX providers preserve operator intent separately from runtime readiness.
### Endpoint-by-endpoint contract
Advisory sources return:
| Endpoint | Blocked behaviour |
| --- | --- |
| `GET /api/v1/advisory-sources/status` | Per-source `readiness = "blocked"`, `blockedReason` populated, `readyForSync = false`, `enabled = true`. |
| `POST /api/v1/advisory-sources/{sourceId}/enable` | Returns `200 OK` with `{ enabled: true, readiness: "blocked", blockingReason, blockedReason }`. The persisted row is enabled but the source registry is left disabled until credentials land. |
| `POST /api/v1/advisory-sources/{sourceId}/sync` | Returns `422 Unprocessable Entity` with `{ error: "source_config_required", readiness: "blocked", code: "SOURCE_CONFIG_REQUIRED", blockedReason }`. The connector is **not** invoked and no job run is created. |
| `POST /api/v1/advisory-sources/sync` | Each blocked source is reported inside `results[]` with `outcome: "blocked"`, `readiness: "blocked"`, `errorCode: "SOURCE_CONFIG_REQUIRED"`, `blockedReason`; it is excluded from `totalTriggered`. Other sources in the batch still run normally. |
| `POST /api/v1/advisory-sources/check` | Blocked sources keep their persisted `enabled` value instead of being auto-disabled by the periodic connectivity check, so the status continues to reflect operator intent until credentials are supplied. |
- `enabled`: persisted operator intent
- `readiness` and `syncState`: one of `ready`, `blocked`, `disabled`, or `unsupported`
### Resolving the blocked state
Excititor VEX providers return:
The operator resolves a blocked source by supplying the missing configuration through either entry path:
- `enabled`: persisted operator intent
- `readiness` and `syncState`: one of `ready`, `blocked`, `disabled`, or `planned`
- Web UI: `Integrations -> Advisory sources`, open the source card, fill in the fields under **Configuration**, save.
- CLI: `stella db connectors configure <source> --set <field>=<value>` (see [`docs/modules/cli/guides/commands/db.md`](/C:/dev/New%20folder/git.stella-ops.org/docs/modules/cli/guides/commands/db.md)).
Interpretation:
On the next `/status` call the source's `readiness` flips to `ready`, `blockedReason` becomes `null`, and `readyForSync` becomes `true`. No disable/re-enable dance is required — the runtime settings cache picks up the persisted change through the options-invalidator and the connector runs on the next scheduler tick or manual trigger.
- `blocked` means the operator wants the connector enabled, but the runtime is intentionally holding it until required configuration or retry cooldown conditions clear.
- `unsupported` means the advisory source exists in the catalog but this host does not register a runnable `source:<id>:fetch` pipeline.
- `planned` means the VEX provider exists in the provider catalog but the current Excititor host has not registered a runnable connector for it.
UI/CLI rendering guidance:
Canonical runtime note:
- Render `enabled` and `readiness` as two separate indicators. An `enabled` toggle that silently collapses to a "disabled" or "failed" visualisation hides operator intent from the next operator on shift.
- Prefer `blockedReason` (short human sentence) for the visible row and fall back to `blockingReason.possibleReasons` / `remediationSteps` for an expanded drawer.
- Do not treat `blocked` as an error state for alerting purposes — it is an expected "sleeping" state on fresh installs and on hosts that have not yet received the credential set.
- Advisory source IDs come from `src/Concelier/__Libraries/StellaOps.Concelier.Core/Sources/SourceDefinitions.cs`
- Advisory source aliases are normalized by `src/Concelier/__Libraries/StellaOps.Concelier.Core/Sources/SourceKeyAliases.cs`
- Advisory source runnable pipelines come from `src/Concelier/StellaOps.Concelier.WebService/Extensions/JobRegistrationExtensions.cs`
- Excititor provider readiness comes from `src/Concelier/StellaOps.Excititor.WebService/Services/VexProviderManagementService.cs`
The catalog currently contains **78 source definitions** across **14 categories**. The authoritative source list is defined in `src/Concelier/__Libraries/StellaOps.Concelier.Core/Sources/SourceDefinitions.cs`.
## Advisory source inventory
Canonical runtime note: the operator-facing source IDs in this index are the only scheduler/catalog IDs that should be used for Concelier jobs and setup. Legacy connector aliases such as `ics-cisa`, `ics-kaspersky`, `ru-bdu`, `ru-nkcki`, `vndr-adobe`, `vndr-apple`, `vndr-chromium`, `vndr-cisco`, `vndr-oracle`, and `vndr.msrc` remain compatibility-only aliases inside normalization paths and must not appear as primary runtime job keys.
Legend:
Runtime note: the Concelier advisory catalog and the Excititor default VEX mirror bootstrap share some upstream vendors but are not the same pipeline. The default public VEX bootstrap currently seeds only `redhat`, `ubuntu`, `oracle`, and `cisco`, uses their public CSAF/notice endpoints, and staggers initial runs (`5m`, `7m`, `9m`, `11m`) to avoid burst-fetching multiple upstreams at the same instant.
- `Built-in runnable = yes` means this Concelier WebService registers a `source:<id>:fetch` job.
- `Stored config = UI+CLI` means operators can persist credentials or endpoint overrides through both the Web UI and `stella db connectors configure`.
- `Stored config = none` means no persisted connector-specific source configuration schema exists today on the advisory side.
---
## Source categories
| Category | Description | Source count |
| --- | --- | --- |
| Primary | Core vulnerability databases (NVD, OSV, GHSA, CVE) | 4 |
| Threat | Threat intelligence, exploit prediction, and known-exploited (EPSS, KEV, MITRE ATT&CK, D3FEND) | 4 |
| Vendor | Vendor PSIRTs and cloud provider security bulletins | 16 |
| Distribution | Linux distribution security trackers | 10 |
| Ecosystem | Language-ecosystem advisory feeds via OSV/GHSA | 9 |
| PackageManager | Native package manager advisory databases (cargo-audit, pip-audit, govulncheck, bundler-audit) | 4 |
| Csaf | CSAF/VEX structured document sources | 3 |
| Exploit | Exploit databases and proof-of-concept repositories | 3 |
| Container | Container image advisory sources | 2 |
| Hardware | Hardware and firmware PSIRT advisories | 3 |
| Ics | Industrial control systems and SCADA advisories | 2 |
| Cert | National CERTs and government CSIRTs | 15 |
| Mirror | StellaOps pre-aggregated mirrors | 1 |
| Other | Uncategorized sources | 0 |
---
## Primary Databases
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
| --- | --- | --- | --- | --- | --- |
| NVD (NIST) | `nvd` | stable | api-key (optional) | 10 | [nvd.md](docs/modules/concelier/operations/connectors/nvd.md) |
| OSV (Google) | `osv` | stable | none | 15 | [osv.md](docs/modules/concelier/operations/connectors/osv.md) |
| GitHub Security Advisories | `ghsa` | stable | api-token | 20 | [ghsa.md](docs/modules/concelier/operations/connectors/ghsa.md) |
| CVE.org (MITRE) | `cve` | stable | none | 5 | [cve.md](docs/modules/concelier/operations/connectors/cve.md) |
## Threat Intelligence & Exploit Scoring
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
| --- | --- | --- | --- | --- | --- |
| EPSS (FIRST) | `epss` | stable | none | 50 | [epss.md](docs/modules/concelier/operations/connectors/epss.md) |
| CISA KEV | `kev` | stable | none | 25 | [cve-kev.md](docs/modules/concelier/operations/connectors/cve-kev.md) |
| MITRE ATT&CK | `mitre-attack` | stable | none | 140 | -- |
| MITRE D3FEND | `mitre-d3fend` | stable | none | 142 | -- |
MITRE ATT&CK provides adversary tactics and techniques in STIX format from the `mitre/cti` GitHub repository. D3FEND provides the complementary defensive techniques knowledge base. Both are tagged `threat-intel` and consumed via the `SourceType.Upstream` connector. For future STIX/TAXII protocol feeds, the `SourceType.StixTaxii` enum value is available for connector extensibility.
## Vendor Advisories
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
| --- | --- | --- | --- | --- | --- |
| Red Hat Security | `redhat` | stable | none | 30 | [redhat.md](docs/modules/concelier/operations/connectors/redhat.md) |
| Microsoft Security (MSRC) | `microsoft` | stable | oauth | 35 | [msrc.md](docs/modules/concelier/operations/connectors/msrc.md) |
| Amazon Linux Security | `amazon` | stable | none | 40 | -- |
| Google Security | `google` | stable | none | 45 | -- |
| Oracle Security | `oracle` | stable | none | 50 | [oracle.md](docs/modules/concelier/operations/connectors/oracle.md) |
| Adobe Security | `adobe` | stable | none | 52 | [adobe.md](docs/modules/concelier/operations/connectors/adobe.md) |
| Apple Security | `apple` | stable | none | 55 | [apple.md](docs/modules/concelier/operations/connectors/apple.md) |
| Chromium Stable Channel Updates | `chromium` | stable | none | 57 | [chromium.md](docs/modules/concelier/operations/connectors/chromium.md) |
| Cisco Security | `cisco` | stable | oauth | 60 | [cisco.md](docs/modules/concelier/operations/connectors/cisco.md) |
| Fortinet PSIRT | `fortinet` | stable | none | 65 | -- |
| Juniper Security | `juniper` | stable | none | 70 | -- |
| Palo Alto Security | `paloalto` | stable | none | 75 | -- |
| VMware Security | `vmware` | stable | none | 80 | [vmware.md](docs/modules/concelier/operations/connectors/vmware.md) |
| AWS Security Bulletins | `aws` | stable | none | 81 | -- |
| Azure Security Advisories | `azure` | stable | none | 82 | -- |
| GCP Security Bulletins | `gcp` | stable | none | 83 | -- |
AWS, Azure, and GCP cloud provider advisories were added in Sprint 007. They track platform-level security bulletins for cloud infrastructure components and are categorized under `Vendor` alongside traditional PSIRTs.
Mirror bootstrap note:
- `oracle` default VEX bootstrap discovery uses Oracle's public security RSS feed and derived `*csaf.json` documents.
- `cisco` default VEX bootstrap uses Cisco's public CSAF provider metadata and does not require the OAuth credentials used by the Concelier openVuln connector.
- If Cisco's public paged catalog is unavailable, the bootstrap falls back to `changes.csv` and then `index.txt`, prefers newer candidates first, and checkpoints seen or permanently inaccessible legacy paths so hourly runs do not re-download or stall on the full historical corpus.
## Linux Distributions
| Connector | Source ID | Status | Auth | Priority | Regions | Ops Runbook |
| Category | ID | Display name | Default enabled | Requires auth | Built-in runnable | Stored config |
| --- | --- | --- | --- | --- | --- | --- |
| Debian Security Tracker | `debian` | stable | none | 30 | -- | [debian.md](docs/modules/concelier/operations/connectors/debian.md) |
| Ubuntu Security Notices | `ubuntu` | stable | none | 32 | -- | [ubuntu.md](docs/modules/concelier/operations/connectors/ubuntu.md) |
| Alpine SecDB | `alpine` | stable | none | 34 | -- | [alpine.md](docs/modules/concelier/operations/connectors/alpine.md) |
| SUSE Security | `suse` | stable | none | 36 | -- | [suse.md](docs/modules/concelier/operations/connectors/suse.md) |
| RHEL Security | `rhel` | stable | none | 38 | -- | -- |
| CentOS Security | `centos` | stable | none | 40 | -- | -- |
| Fedora Security | `fedora` | stable | none | 42 | -- | -- |
| Arch Security | `arch` | stable | none | 44 | -- | -- |
| Gentoo Security | `gentoo` | stable | none | 46 | -- | -- |
| Astra Linux Security | `astra` | stable | none | 48 | RU, CIS | [astra.md](docs/modules/concelier/operations/connectors/astra.md) |
| Cert | auscert | AusCERT (Australia) | false | false | yes | none |
| Cert | cccs | CCCS (Canada) | true | false | yes | none |
| Cert | cert-at | CERT.at (Austria) | true | false | no | none |
| Cert | cert-be | CERT.be (Belgium) | true | false | no | none |
| Cert | cert-cc | CERT/CC | true | false | yes | none |
| Cert | cert-ch | NCSC-CH (Switzerland) | true | false | no | none |
| Cert | cert-de | CERT-Bund (Germany) | true | false | yes | none |
| Cert | cert-eu | CERT-EU | true | false | no | none |
| Cert | cert-fr | CERT-FR | true | false | yes | none |
| Cert | cert-in | CERT-In (India) | false | false | yes | none |
| Cert | cert-pl | CERT.PL (Poland) | false | false | no | none |
| Cert | cert-ua | CERT-UA (Ukraine) | false | false | no | none |
| Cert | fstec-bdu | FSTEC BDU (Russia) | false | false | yes | none |
| Cert | jpcert | JPCERT/CC (Japan) | true | false | yes | none |
| Cert | krcert | KrCERT/CC (South Korea) | false | false | yes | none |
| Cert | nkcki | NKCKI (Russia) | false | false | yes | none |
| Cert | us-cert | CISA (US-CERT) | true | false | yes | none |
| Container | chainguard | Chainguard Advisories | true | false | no | none |
| Container | docker-official | Docker Official CVEs | true | false | no | none |
| Csaf | csaf | CSAF Aggregator | true | false | no | none |
| Csaf | csaf-tc | CSAF TC Trusted Publishers | true | false | no | none |
| Csaf | vex | VEX Hub | true | false | no | none |
| Distribution | alpine | Alpine Security | true | false | yes | none |
| Distribution | arch | Arch Security | true | false | no | none |
| Distribution | astra | Astra Linux Security | false | false | no | none |
| Distribution | centos | CentOS Security | true | false | no | none |
| Distribution | debian | Debian Security | true | false | yes | none |
| Distribution | fedora | Fedora Security | true | false | no | none |
| Distribution | gentoo | Gentoo Security | true | false | no | none |
| Distribution | rhel | RHEL Security | true | false | no | none |
| Distribution | suse | SUSE Security | true | false | yes | none |
| Distribution | ubuntu | Ubuntu Security | true | false | yes | none |
| Ecosystem | crates | Crates.io Advisories | false | false | no | none |
| Ecosystem | go | Go Advisories | false | false | no | none |
| Ecosystem | hex | Hex.pm Advisories | false | false | no | none |
| Ecosystem | maven | Maven Advisories | false | false | no | none |
| Ecosystem | npm | npm Advisories | false | false | no | none |
| Ecosystem | nuget | NuGet Advisories | false | true | no | none |
| Ecosystem | packagist | Packagist Advisories | false | false | no | none |
| Ecosystem | pypi | PyPI Advisories | false | false | no | none |
| Ecosystem | rubygems | RubyGems Advisories | false | false | no | none |
| Exploit | exploitdb | Exploit-DB | false | false | no | none |
| Exploit | metasploit | Metasploit Modules | false | false | no | none |
| Exploit | poc-github | PoC-in-GitHub | false | true | no | none |
| Hardware | amd | AMD Security | false | false | no | none |
| Hardware | arm | ARM Security Center | false | false | no | none |
| Hardware | intel | Intel PSIRT | false | false | no | none |
| Ics | kaspersky-ics | Kaspersky ICS-CERT | false | false | yes | none |
| Ics | siemens | Siemens ProductCERT | false | false | no | none |
| Mirror | stella-mirror | StellaOps Mirror | false | false | yes | none |
| PackageManager | bundler-audit | Ruby Advisory DB | false | false | no | none |
| PackageManager | govuln | Go Vuln DB | false | false | no | none |
| PackageManager | pypa | PyPA Advisory DB | false | false | no | none |
| PackageManager | rustsec | RustSec Advisory DB | false | false | no | none |
| Primary | cve | CVE.org (MITRE) | true | false | yes | none |
| Primary | ghsa | GitHub Security Advisories | true | true | yes | UI+CLI |
| Primary | nvd | NVD (NIST) | true | false | yes | none |
| Primary | osv | OSV (Google) | true | false | yes | none |
| Threat | epss | EPSS (FIRST) | true | false | yes | none |
| Threat | kev | CISA KEV | true | false | yes | none |
| Threat | mitre-attack | MITRE ATT&CK | false | false | no | none |
| Threat | mitre-d3fend | MITRE D3FEND | false | false | no | none |
| Vendor | adobe | Adobe Security | true | false | yes | UI+CLI |
| Vendor | amazon | Amazon Linux Security | true | false | no | none |
| Vendor | apple | Apple Security | true | false | yes | none |
| Vendor | aws | AWS Security Bulletins | true | false | no | none |
| Vendor | azure | Azure Security Advisories | true | false | no | none |
| Vendor | chromium | Chromium Security | true | false | yes | UI+CLI |
| Vendor | cisco | Cisco Security | true | true | yes | UI+CLI |
| Vendor | fortinet | Fortinet PSIRT | true | false | no | none |
| Vendor | gcp | GCP Security Bulletins | true | false | no | none |
| Vendor | google | Google Security | true | false | no | none |
| Vendor | juniper | Juniper Security | true | false | no | none |
| Vendor | microsoft | Microsoft Security | true | true | yes | UI+CLI |
| Vendor | oracle | Oracle Security | true | false | yes | UI+CLI |
| Vendor | paloalto | Palo Alto Security | true | false | no | none |
| Vendor | redhat | Red Hat Security | true | false | yes | none |
| Vendor | vmware | VMware Security | true | false | yes | none |
Mirror bootstrap note:
- `ubuntu` default VEX bootstrap reads `https://ubuntu.com/security/notices.json` and synthesizes deterministic CSAF documents from the per-notice JSON payloads because Canonical's public path is notice JSON rather than native CSAF.
## Stored advisory configuration coverage
## Language Ecosystems
The current stored configuration schema covers these advisory sources:
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
| --- | --- | --- | --- | --- | --- |
| npm Advisories | `npm` | stable | none | 50 | -- |
| PyPI Advisories | `pypi` | stable | none | 52 | -- |
| Go Advisories | `go` | stable | none | 54 | -- |
| RubyGems Advisories | `rubygems` | stable | none | 56 | -- |
| NuGet Advisories | `nuget` | stable | api-token | 58 | -- |
| Maven Advisories | `maven` | stable | none | 60 | -- |
| Crates.io Advisories | `crates` | stable | none | 62 | -- |
| Packagist Advisories | `packagist` | stable | none | 64 | -- |
| Hex.pm Advisories | `hex` | stable | none | 66 | -- |
- `ghsa`: GitHub API token
- `cisco`: OAuth client ID and client secret
- `microsoft`: tenant ID, client ID, and client secret
- `oracle`: calendar and advisory URI overrides
- `adobe`: bulletin index URI overrides
- `chromium`: feed URI override
Ecosystem connectors use OSV or GHSA GraphQL as the underlying data source. NuGet requires a `GITHUB_PAT` for GHSA GraphQL access.
Everything else in the advisory catalog is either:
## Package Manager Native Advisories
- public and currently fieldless on the advisory side, or
- cataloged but not wired into the built-in runnable WebService job surface yet
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
| --- | --- | --- | --- | --- | --- |
| RustSec Advisory DB (cargo-audit) | `rustsec` | stable | none | 63 | -- |
| PyPA Advisory DB (pip-audit) | `pypa` | stable | none | 53 | -- |
| Go Vuln DB (govulncheck) | `govuln` | stable | none | 55 | -- |
| Ruby Advisory DB (bundler-audit) | `bundler-audit` | stable | none | 57 | -- |
## Verification state for this inventory
Package manager native advisory databases provide language-specific vulnerability data curated by the respective package manager maintainers. These complement the ecosystem feeds (OSV/GHSA) by providing authoritative tool-native data used by `cargo-audit`, `pip-audit`, `govulncheck`, and `bundler-audit`. They are categorized separately under `PackageManager` to allow targeted mirror export filtering.
Control-plane evidence reverified in Sprint `20260422_004`:
## CSAF/VEX Sources
- Advisory source catalog and status API coverage confirms built-in runnable vs catalog-only behavior for representative connectors including `nvd`, `osv`, `cccs`, `cert-cc`, `krcert`, `microsoft`, `ghsa`, `cisco`, `oracle`, `adobe`, `chromium`, and catalog-only `npm`
- Advisory stored configuration persistence is covered for `ghsa`, `adobe`, and `chromium`
- Excititor provider management endpoints are covered by targeted backend tests and linked UI/CLI work is documented in `docs/modules/excititor/operations/provider-control-plane.md`
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
| --- | --- | --- | --- | --- | --- |
| CSAF Aggregator | `csaf` | stable | none | 70 | -- |
| CSAF TC Trusted Publishers | `csaf-tc` | stable | none | 72 | -- |
| VEX Hub | `vex` | stable | none | 74 | -- |
## Exploit Databases
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
| --- | --- | --- | --- | --- | --- |
| Exploit-DB | `exploitdb` | stable | none | 110 | -- |
| PoC-in-GitHub | `poc-github` | stable | api-token | 112 | -- |
| Metasploit Modules | `metasploit` | stable | none | 114 | -- |
Exploit databases track publicly available proof-of-concept code and exploit modules. Exploit-DB is sourced from the Offensive Security GitLab mirror. PoC-in-GitHub uses the GitHub search API to discover repositories containing vulnerability PoCs (requires `GITHUB_PAT`). Metasploit tracks Rapid7 Metasploit Framework module metadata for CVE-to-exploit correlation.
## Container Sources
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
| --- | --- | --- | --- | --- | --- |
| Docker Official CVEs | `docker-official` | stable | none | 120 | -- |
| Chainguard Advisories | `chainguard` | stable | none | 122 | -- |
Container-specific advisory sources track vulnerabilities in base images and hardened container distributions. Docker Official CVEs covers the Docker Hub official images program. Chainguard Advisories covers hardened distroless and Wolfi-based images.
## Hardware/Firmware
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
| --- | --- | --- | --- | --- | --- |
| Intel PSIRT | `intel` | stable | none | 130 | -- |
| AMD Security | `amd` | stable | none | 132 | -- |
| ARM Security Center | `arm` | stable | none | 134 | -- |
Hardware PSIRT advisories cover CPU microcode, firmware, and silicon-level vulnerabilities from the three major processor vendors. These sources are especially relevant for infrastructure operators tracking speculative execution (Spectre/Meltdown class) and firmware supply chain issues.
## ICS/SCADA
| Connector | Source ID | Status | Auth | Priority | Regions | Ops Runbook |
| --- | --- | --- | --- | --- | --- | --- |
| Siemens ProductCERT | `siemens` | stable | none | 136 | -- | -- |
| Kaspersky ICS-CERT | `kaspersky-ics` | stable | none | 102 | RU, CIS, GLOBAL | [kaspersky-ics.md](docs/modules/concelier/operations/connectors/kaspersky-ics.md) |
Industrial control systems advisories cover SCADA and operational technology vulnerabilities. Siemens ProductCERT publishes CSAF-format advisories. Kaspersky ICS-CERT was promoted from beta to stable in Sprint 007 after endpoint stability verification.
## National CERTs
| Connector | Source ID | Status | Auth | Priority | Regions | Ops Runbook |
| --- | --- | --- | --- | --- | --- | --- |
| CERT-FR | `cert-fr` | stable | none | 80 | FR, EU | [cert-fr.md](docs/modules/concelier/operations/connectors/cert-fr.md) |
| CERT-Bund (Germany) | `cert-de` | stable | none | 82 | DE, EU | [certbund.md](docs/modules/concelier/operations/connectors/certbund.md) |
| CERT.at (Austria) | `cert-at` | stable | none | 84 | AT, EU | -- |
| CERT.be (Belgium) | `cert-be` | stable | none | 86 | BE, EU | -- |
| NCSC-CH (Switzerland) | `cert-ch` | stable | none | 88 | CH | -- |
| CERT-EU | `cert-eu` | stable | none | 90 | EU | -- |
| CCCS (Canada) | `cccs` | stable | none | 91 | CA, NA | [cccs.md](docs/modules/concelier/operations/connectors/cccs.md) |
| JPCERT/CC (Japan) | `jpcert` | stable | none | 92 | JP, APAC | [jvn.md](docs/modules/concelier/operations/connectors/jvn.md) |
| CERT/CC | `cert-cc` | stable | none | 93 | US, NA | [cert-cc.md](docs/modules/concelier/operations/connectors/cert-cc.md) |
| CISA (US-CERT) | `us-cert` | stable | none | 94 | US, NA | [ics-cisa.md](docs/modules/concelier/operations/connectors/ics-cisa.md) |
| CERT-UA (Ukraine) | `cert-ua` | stable | none | 95 | UA | -- |
| CERT.PL (Poland) | `cert-pl` | stable | none | 96 | PL, EU | -- |
| AusCERT (Australia) | `auscert` | stable | none | 97 | AU, APAC | -- |
| KrCERT/CC (South Korea) | `krcert` | stable | none | 98 | KR, APAC | [kisa.md](docs/modules/concelier/operations/connectors/kisa.md) |
| CERT-In (India) | `cert-in` | stable | none | 99 | IN, APAC | [cert-in.md](docs/modules/concelier/operations/connectors/cert-in.md) |
Seven additional CERTs beyond the original European/Japanese set are now defined in the catalog: CCCS (Canada), CERT/CC, CERT-UA, CERT.PL, AusCERT, KrCERT/CC, and CERT-In, extending coverage to North America, Eastern Europe, Oceania, and South/East Asia.
## Russian/CIS Sources
| Connector | Source ID | Status | Auth | Priority | Regions | Ops Runbook |
| --- | --- | --- | --- | --- | --- | --- |
| FSTEC BDU | `fstec-bdu` | stable | none | 100 | RU, CIS | [fstec-bdu.md](docs/modules/concelier/operations/connectors/fstec-bdu.md) |
| NKCKI | `nkcki` | stable | none | 101 | RU, CIS | [nkcki.md](docs/modules/concelier/operations/connectors/nkcki.md) |
FSTEC BDU and NKCKI were promoted from beta to stable in Sprint 007. FSTEC BDU (Bank of Security Threats) provides vulnerability data maintained by Russia's Federal Service for Technical and Export Control. NKCKI is the National Coordination Center for Computer Incidents. Kaspersky ICS-CERT and Astra Linux are listed in their respective category sections above.
## StellaOps Mirror
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
| --- | --- | --- | --- | --- | --- |
| StellaOps Mirror | `stella-mirror` | stable | none (configurable) | 1 | -- |
The StellaOps Mirror connector consumes pre-aggregated advisory data from a StellaOps mirror instance. When using mirror mode, this source takes highest priority (1) and replaces direct upstream connections. See `docs/modules/excititor/mirrors.md` for mirror configuration details.
---
**Reason Codes Reference:** [docs/modules/concelier/operations/connectors/reason-codes.md](docs/modules/concelier/operations/connectors/reason-codes.md)
This page does not claim that all 78 advisory connectors were end-to-end re-ingested in this sprint. It records catalog truth, built-in host wiring, stored configuration coverage, and the specific control-plane verification completed during this implementation slice.