stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Refactor code structure for improved readability and maintainability; optimize performance in key functions.

Browse Source
This commit is contained in:
master
2025-12-22 19:06:31 +02:00
parent dfaa2079aa
commit 4602ccc3a3
1444 changed files with 109919 additions and 8058 deletions
Download Patch File Download Diff File Expand all files Collapse all files

439
src/Api/StellaOps.Api.OpenApi/scanner/openapi.yaml
View File

@@ -20,6 +20,8 @@ tags:
description: Runtime evidence collection
- name: Reachability
description: Reachability analysis and queries
- name: Slices
description: Reachability slice query and replay
- name: Exports
description: Report exports
- name: ProofSpines
@@ -271,6 +273,98 @@ paths:
'404':
description: CVE/component combination not found
# ─────────────────────────────────────────────────────────────────────────────
# Slice Query & Replay APIs (Sprint 3820)
# ─────────────────────────────────────────────────────────────────────────────
/slices/query:
post:
tags: [Slices]
operationId: querySlice
summary: Query reachability and generate slice
description: |
Generate a reachability slice on demand for a given CVE or set of symbols.
Returns an attested slice with verdict and confidence.
Large slices may return 202 Accepted with a job ID for async retrieval.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/SliceQueryRequest'
responses:
'200':
description: Slice generated successfully
content:
application/json:
schema:
$ref: '#/components/schemas/SliceQueryResponse'
'202':
description: Slice generation queued (large slice)
content:
application/json:
schema:
$ref: '#/components/schemas/SliceQueryResponse'
'400':
$ref: '#/components/responses/BadRequest'
'404':
description: Scan not found
/slices/{digest}:
get:
tags: [Slices]
operationId: getSlice
summary: Retrieve attested slice by digest
description: |
Retrieve a previously generated reachability slice by its content digest.
Supports both JSON slice format and DSSE envelope format via Accept header.
parameters:
- name: digest
in: path
required: true
description: Content-addressed digest of the slice (sha256:...)
schema:
type: string
example: "sha256:abc123def456..."
responses:
'200':
description: Slice retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/ReachabilitySlice'
application/dsse+json:
schema:
$ref: '#/components/schemas/DsseEnvelope'
'404':
description: Slice not found
/slices/replay:
post:
tags: [Slices]
operationId: replaySlice
summary: Verify slice reproducibility
description: |
Recompute a slice from its original inputs and verify byte-for-byte match.
Returns diff details if the recomputed slice differs from the original.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/SliceReplayRequest'
responses:
'200':
description: Replay verification result
content:
application/json:
schema:
$ref: '#/components/schemas/SliceReplayResponse'
'400':
$ref: '#/components/responses/BadRequest'
'404':
description: Slice not found
/scans/{scanId}/exports/sarif:
get:
tags: [Exports]
@@ -1460,6 +1554,15 @@ components:
status:
type: string
enum: [pending, escalated, suppressed, resolved]
reasonCode:
type: string
description: Canonical reason code for unknown classification
reasonCodeShort:
type: string
description: Short reason code (e.g., U-RCH, U-ID)
remediationHint:
type: string
description: Short remediation guidance
priority:
type: integer
description: Priority score (vulnerability × impact, 0-25)
@@ -1484,6 +1587,25 @@ components:
status:
type: string
enum: [pending, escalated, suppressed, resolved]
reasonCode:
type: string
description: Canonical reason code for unknown classification
reasonCodeShort:
type: string
description: Short reason code (e.g., U-RCH, U-ID)
remediationHint:
type: string
description: Short remediation guidance
detailedHint:
type: string
description: Detailed remediation guidance
automationCommand:
type: string
description: CLI or automation command to address this unknown
evidenceRefs:
type: array
items:
$ref: '#/components/schemas/UnknownEvidenceRef'
scoring:
$ref: '#/components/schemas/UnknownScoring'
metadata:
@@ -1577,6 +1699,19 @@ components:
type: string
format: date-time
UnknownEvidenceRef:
type: object
properties:
type:
type: string
description: Evidence category (e.g., reachability, vex, sbom, feed)
uri:
type: string
description: Reference to the evidence asset
digest:
type: string
description: Content hash for the evidence asset
UnknownHistoryEntry:
type: object
properties:
@@ -1758,3 +1893,307 @@ components:
type: string
newStatus:
type: string
# ─────────────────────────────────────────────────────────────────────────────
# Slice Query & Replay Schemas (Sprint 3820)
# ─────────────────────────────────────────────────────────────────────────────
SliceQueryRequest:
type: object
required: [scanId]
properties:
scanId:
type: string
description: Scan ID to query against
cveId:
type: string
description: CVE ID to check reachability for
example: "CVE-2024-1234"
symbols:
type: array
items:
type: string
description: Target symbols to check reachability for
entrypoints:
type: array
items:
type: string
description: Entrypoint symbols to start reachability analysis from
policyHash:
type: string
description: Optional policy hash to include in the slice
SliceQueryResponse:
type: object
required: [sliceDigest, verdict, confidence, cacheHit]
properties:
sliceDigest:
type: string
description: Content-addressed digest of the generated slice
example: "sha256:abc123def456..."
verdict:
type: string
enum: [reachable, unreachable, unknown, gated, observed_reachable]
description: Reachability verdict
confidence:
type: number
format: double
minimum: 0
maximum: 1
description: Confidence score [0.0, 1.0]
pathWitnesses:
type: array
items:
type: string
description: Example paths demonstrating reachability
cacheHit:
type: boolean
description: Whether result was served from cache
jobId:
type: string
description: Job ID for async generation (large slices)
SliceReplayRequest:
type: object
required: [sliceDigest]
properties:
sliceDigest:
type: string
description: Digest of the slice to replay
SliceReplayResponse:
type: object
required: [match, originalDigest, recomputedDigest]
properties:
match:
type: boolean
description: Whether the recomputed slice matches the original
originalDigest:
type: string
description: Digest of the original slice
recomputedDigest:
type: string
description: Digest of the recomputed slice
diff:
$ref: '#/components/schemas/SliceDiff'
SliceDiff:
type: object
description: Detailed diff between original and recomputed slices
properties:
missingNodes:
type: array
items:
type: string
description: Nodes present in original but missing in recomputed
extraNodes:
type: array
items:
type: string
description: Nodes present in recomputed but missing in original
missingEdges:
type: array
items:
type: string
description: Edges present in original but missing in recomputed
extraEdges:
type: array
items:
type: string
description: Edges present in recomputed but missing in original
verdictDiff:
type: string
description: Description of verdict change if any
ReachabilitySlice:
type: object
required: [_type, inputs, query, subgraph, verdict, manifest]
properties:
_type:
type: string
const: "https://stellaops.io/attestation/slice/v1"
inputs:
$ref: '#/components/schemas/SliceInputs'
query:
$ref: '#/components/schemas/SliceQuery'
subgraph:
$ref: '#/components/schemas/SliceSubgraph'
verdict:
$ref: '#/components/schemas/SliceVerdict'
manifest:
type: object
description: Scan manifest
SliceInputs:
type: object
required: [graphDigest]
properties:
graphDigest:
type: string
binaryDigests:
type: array
items:
type: string
sbomDigest:
type: string
layerDigests:
type: array
items:
type: string
SliceQuery:
type: object
properties:
cveId:
type: string
targetSymbols:
type: array
items:
type: string
entrypoints:
type: array
items:
type: string
policyHash:
type: string
SliceSubgraph:
type: object
properties:
nodes:
type: array
items:
$ref: '#/components/schemas/SliceNode'
edges:
type: array
items:
$ref: '#/components/schemas/SliceEdge'
SliceNode:
type: object
required: [id, symbol, kind]
properties:
id:
type: string
symbol:
type: string
kind:
type: string
enum: [entrypoint, intermediate, target, unknown]
file:
type: string
line:
type: integer
purl:
type: string
attributes:
type: object
additionalProperties:
type: string
SliceEdge:
type: object
required: [from, to]
properties:
from:
type: string
to:
type: string
kind:
type: string
enum: [direct, plt, iat, dynamic, unknown]
default: direct
confidence:
type: number
format: double
evidence:
type: string
gate:
$ref: '#/components/schemas/SliceGateInfo'
observed:
$ref: '#/components/schemas/ObservedEdgeMetadata'
SliceGateInfo:
type: object
required: [type, condition, satisfied]
properties:
type:
type: string
enum: [feature_flag, auth, config, admin_only]
condition:
type: string
satisfied:
type: boolean
ObservedEdgeMetadata:
type: object
required: [firstObserved, lastObserved, observationCount]
properties:
firstObserved:
type: string
format: date-time
lastObserved:
type: string
format: date-time
observationCount:
type: integer
traceDigest:
type: string
SliceVerdict:
type: object
required: [status, confidence]
properties:
status:
type: string
enum: [reachable, unreachable, unknown, gated, observed_reachable]
confidence:
type: number
format: double
reasons:
type: array
items:
type: string
pathWitnesses:
type: array
items:
type: string
unknownCount:
type: integer
gatedPaths:
type: array
items:
$ref: '#/components/schemas/GatedPath'
GatedPath:
type: object
required: [pathId, gateType, gateCondition, gateSatisfied]
properties:
pathId:
type: string
gateType:
type: string
gateCondition:
type: string
gateSatisfied:
type: boolean
DsseEnvelope:
type: object
description: DSSE envelope wrapping an attested slice
required: [payloadType, payload, signatures]
properties:
payloadType:
type: string
example: "application/vnd.in-toto+json"
payload:
type: string
description: Base64-encoded payload
signatures:
type: array
items:
type: object
properties:
keyid:
type: string
sig:
type: string