stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Refactor code structure for improved readability and maintainability; optimize performance in key functions.

Browse Source
This commit is contained in:
master
2025-12-22 19:06:31 +02:00
parent dfaa2079aa
commit 4602ccc3a3
1444 changed files with 109919 additions and 8058 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
docs/schemas/predicates/boundary.v1.schema.json Normal file
View File

@@ -0,0 +1,80 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella.ops/predicates/boundary@v1",
"title": "StellaOps Boundary Attestation Predicate",
"description": "Predicate for attack surface boundary detection.",
"type": "object",
"required": ["surface", "exposure", "observedAt"],
"properties": {
"surface": {
"type": "string",
"enum": ["http", "grpc", "tcp", "udp", "mqtt", "kafka", "cli", "internal"],
"description": "Type of attack surface."
},
"exposure": {
"type": "string",
"enum": ["public", "private", "internal", "localhost"],
"description": "Exposure level of the surface."
},
"observedAt": {
"type": "string",
"format": "date-time",
"description": "When the boundary was observed."
},
"endpoints": {
"type": "array",
"items": {
"$ref": "#/$defs/endpoint"
},
"description": "Detected endpoints on this surface."
},
"auth": {
"type": "object",
"properties": {
"mechanism": {
"type": "string",
"enum": ["none", "apikey", "jwt", "oauth2", "mtls", "basic"],
"description": "Authentication mechanism."
},
"required_scopes": {
"type": "array",
"items": { "type": "string" },
"description": "Required authorization scopes."
}
},
"description": "Authentication configuration."
},
"controls": {
"type": "array",
"items": { "type": "string" },
"description": "Security controls in place (e.g., rate-limit, WAF)."
},
"expiresAt": {
"type": "string",
"format": "date-time",
"description": "When this boundary observation expires (TTL: 72h)."
}
},
"$defs": {
"endpoint": {
"type": "object",
"required": ["route", "method"],
"properties": {
"route": {
"type": "string",
"description": "Route pattern (e.g., /api/users/:id)."
},
"method": {
"type": "string",
"enum": ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"],
"description": "HTTP method."
},
"auth": {
"type": "string",
"description": "Authentication requirement for this endpoint."
}
}
}
},
"additionalProperties": false
}

110
docs/schemas/predicates/human-approval.v1.schema.json Normal file
View File

@@ -0,0 +1,110 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella.ops/predicates/human-approval@v1",
"title": "StellaOps Human Approval Attestation Predicate",
"description": "Predicate for human approval decision attestations.",
"type": "object",
"required": ["schema", "approval_id", "finding_id", "decision", "approver", "justification", "approved_at"],
"properties": {
"schema": {
"type": "string",
"const": "human-approval-v1",
"description": "Schema version identifier."
},
"approval_id": {
"type": "string",
"description": "Unique approval identifier."
},
"finding_id": {
"type": "string",
"description": "The finding ID (e.g., CVE identifier)."
},
"decision": {
"type": "string",
"enum": ["AcceptRisk", "Defer", "Reject", "Suppress", "Escalate"],
"description": "The approval decision."
},
"approver": {
"type": "object",
"required": ["user_id"],
"properties": {
"user_id": {
"type": "string",
"description": "The approver's user identifier (e.g., email)."
},
"display_name": {
"type": "string",
"description": "The approver's display name."
},
"role": {
"type": "string",
"description": "The approver's role in the organization."
},
"delegated_from": {
"type": "string",
"description": "Optional delegation chain."
}
}
},
"justification": {
"type": "string",
"minLength": 1,
"description": "Justification for the decision."
},
"approved_at": {
"type": "string",
"format": "date-time",
"description": "When the approval was made."
},
"expires_at": {
"type": "string",
"format": "date-time",
"description": "When the approval expires (default TTL: 30 days)."
},
"policy_decision_ref": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Reference to the policy decision this approval is for."
},
"restrictions": {
"type": "object",
"properties": {
"environments": {
"type": "array",
"items": { "type": "string" },
"description": "Environments where the approval applies."
},
"max_instances": {
"type": "integer",
"minimum": 1,
"description": "Maximum number of affected instances."
},
"namespaces": {
"type": "array",
"items": { "type": "string" },
"description": "Namespaces where the approval applies."
},
"artifacts": {
"type": "array",
"items": { "type": "string" },
"description": "Specific images/artifacts the approval applies to."
},
"conditions": {
"type": "object",
"additionalProperties": { "type": "string" },
"description": "Custom conditions that must be met."
}
}
},
"supersedes": {
"type": "string",
"description": "Optional prior approval being superseded."
},
"metadata": {
"type": "object",
"additionalProperties": { "type": "string" },
"description": "Optional metadata."
}
},
"additionalProperties": false
}

94
docs/schemas/predicates/policy-decision.v1.schema.json Normal file
View File

@@ -0,0 +1,94 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella.ops/predicates/policy-decision@v1",
"title": "StellaOps Policy Decision Attestation Predicate",
"description": "Predicate for policy evaluation decision attestations.",
"type": "object",
"required": ["finding_id", "cve", "component_purl", "decision", "reasoning", "evidence_refs", "evaluated_at", "policy_version"],
"properties": {
"finding_id": {
"type": "string",
"description": "The finding ID (CVE@PURL format)."
},
"cve": {
"type": "string",
"description": "The CVE identifier."
},
"component_purl": {
"type": "string",
"description": "The component Package URL."
},
"decision": {
"type": "string",
"enum": ["Allow", "Review", "Block", "Suppress", "Escalate"],
"description": "The policy decision result."
},
"reasoning": {
"type": "object",
"required": ["rules_evaluated", "rules_matched", "final_score", "risk_multiplier"],
"properties": {
"rules_evaluated": {
"type": "integer",
"minimum": 0,
"description": "Number of policy rules evaluated."
},
"rules_matched": {
"type": "array",
"items": { "type": "string" },
"description": "Names of policy rules that matched."
},
"final_score": {
"type": "number",
"minimum": 0,
"maximum": 100,
"description": "Final computed risk score (0-100)."
},
"risk_multiplier": {
"type": "number",
"minimum": 0,
"description": "Risk multiplier applied (1.0 = no change)."
},
"reachability_state": {
"type": "string",
"description": "Reachability state used in decision."
},
"vex_status": {
"type": "string",
"description": "VEX status used in decision."
},
"summary": {
"type": "string",
"description": "Human-readable summary of decision rationale."
}
}
},
"evidence_refs": {
"type": "array",
"items": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"description": "References to evidence artifacts used in the decision."
},
"evaluated_at": {
"type": "string",
"format": "date-time",
"description": "When the decision was evaluated (UTC ISO 8601)."
},
"expires_at": {
"type": "string",
"format": "date-time",
"description": "When the decision expires (UTC ISO 8601)."
},
"policy_version": {
"type": "string",
"description": "Version of the policy used for evaluation."
},
"policy_hash": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Hash of the policy configuration used."
}
},
"additionalProperties": false
}

81
docs/schemas/predicates/reachability.v1.schema.json Normal file
View File

@@ -0,0 +1,81 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella.ops/predicates/reachability@v1",
"title": "StellaOps Reachability Attestation Predicate",
"description": "Predicate for reachability analysis results.",
"type": "object",
"required": ["result", "confidence", "graphDigest"],
"properties": {
"result": {
"type": "string",
"enum": ["reachable", "unreachable", "unknown"],
"description": "Reachability analysis result."
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1,
"description": "Confidence score (0-1)."
},
"graphDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Digest of the call graph used."
},
"paths": {
"type": "array",
"items": {
"$ref": "#/$defs/reachabilityPath"
},
"description": "Paths from entrypoints to vulnerable code."
},
"entrypoints": {
"type": "array",
"items": { "$ref": "#/$defs/entrypoint" },
"description": "Entrypoints considered."
},
"computedAt": {
"type": "string",
"format": "date-time"
},
"expiresAt": {
"type": "string",
"format": "date-time"
}
},
"$defs": {
"reachabilityPath": {
"type": "object",
"required": ["pathId", "steps"],
"properties": {
"pathId": { "type": "string" },
"steps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"node": { "type": "string" },
"fileHash": { "type": "string" },
"lines": {
"type": "array",
"items": { "type": "integer" },
"minItems": 2,
"maxItems": 2
}
}
}
}
}
},
"entrypoint": {
"type": "object",
"required": ["type"],
"properties": {
"type": { "type": "string" },
"route": { "type": "string" },
"auth": { "type": "string" }
}
}
},
"additionalProperties": false
}

40
docs/schemas/predicates/sbom.v1.schema.json Normal file
View File

@@ -0,0 +1,40 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella.ops/predicates/sbom@v1",
"title": "StellaOps SBOM Attestation Predicate",
"description": "Predicate for SBOM attestations linking software bill of materials to artifacts.",
"type": "object",
"required": ["format", "digest", "componentCount"],
"properties": {
"format": {
"type": "string",
"enum": ["cyclonedx-1.6", "spdx-3.0.1", "spdx-2.3"],
"description": "SBOM format specification."
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Content-addressed digest of the SBOM document."
},
"componentCount": {
"type": "integer",
"minimum": 0,
"description": "Number of components in the SBOM."
},
"uri": {
"type": "string",
"format": "uri",
"description": "URI where the full SBOM can be retrieved."
},
"tooling": {
"type": "string",
"description": "Tool used to generate the SBOM."
},
"createdAt": {
"type": "string",
"format": "date-time",
"description": "When the SBOM was generated."
}
},
"additionalProperties": false
}

64
docs/schemas/predicates/vex.v1.schema.json Normal file
View File

@@ -0,0 +1,64 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella.ops/predicates/vex@v1",
"title": "StellaOps VEX Attestation Predicate",
"description": "Predicate for VEX statements embedded in attestations.",
"type": "object",
"required": ["format", "statements"],
"properties": {
"format": {
"type": "string",
"enum": ["openvex", "csaf-vex", "cyclonedx-vex"],
"description": "VEX format specification."
},
"statements": {
"type": "array",
"items": {
"$ref": "#/$defs/vexStatement"
},
"minItems": 1,
"description": "VEX statements in this attestation."
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Content-addressed digest of the VEX document."
},
"author": {
"type": "string",
"description": "Author of the VEX statements."
},
"timestamp": {
"type": "string",
"format": "date-time",
"description": "When the VEX was issued."
}
},
"$defs": {
"vexStatement": {
"type": "object",
"required": ["vulnerability", "status"],
"properties": {
"vulnerability": {
"type": "string",
"description": "CVE or vulnerability identifier."
},
"status": {
"type": "string",
"enum": ["affected", "not_affected", "under_investigation", "fixed"],
"description": "VEX status."
},
"justification": {
"type": "string",
"description": "Justification for not_affected status."
},
"products": {
"type": "array",
"items": { "type": "string" },
"description": "Affected products (PURLs)."
}
}
}
},
"additionalProperties": false
}