feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports

- Introduced a new VEX compact fixture for testing purposes. - Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests. - Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations. - Documented tasks related to the Mirror Creator. - Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs. - Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases. - Added tests for symbol ID normalization in the reachability scanner. - Enhanced console status service with comprehensive unit tests for connection handling and error recovery. - Included Cosign tool version 2.6.0 with checksums for various platforms.
2025-12-02 21:08:01 +02:00
parent 6d049905c7
commit 47168fec38
146 changed files with 4329 additions and 549 deletions
--- a/docs/modules/concelier/schemas/samples/offline-advisory-bundle.sample.json
+++ b/docs/modules/concelier/schemas/samples/offline-advisory-bundle.sample.json
@@ -0,0 +1,55 @@
+{
+  "$schema": "../offline-advisory-bundle.schema.json",
+  "bundleId": "bundle:concelier:offline:2025-12-02T00-00Z",
+  "tenant": "default",
+  "exportKind": "json",
+  "createdAt": "2025-12-02T00:00:00Z",
+  "snapshot": {
+    "windowStart": "2025-11-25T00:00:00Z",
+    "windowEnd": "2025-12-01T23:59:59Z",
+    "stalenessHours": 168,
+    "sources": [
+      {
+        "name": "osv",
+        "cursor": "2025-12-01T23:50:00Z",
+        "hash": "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcd",
+        "snapshotUri": "https://mirror.example/offline/osv-2025-12-01.zip"
+      },
+      {
+        "name": "redhat",
+        "cursor": "2025-12-01T23:45:00Z",
+        "hash": "sha256:abcd456789abcdef0123456789abcdef0123456789abcdef0123456789abcd"
+      }
+    ]
+  },
+  "manifest": [
+    {
+      "path": "export/index.json",
+      "sha256": "89abcdef0123456789abcdef0123456789abcdef0123456789abcdef01234567",
+      "size": 482192,
+      "contentType": "application/json"
+    },
+    {
+      "path": "export/db/trivy.db",
+      "sha256": "fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210",
+      "size": 1289932,
+      "contentType": "application/octet-stream"
+    }
+  ],
+  "hashes": {
+    "sha256": "0f0e0d0c0b0a09080706050403020100ffeeddccbbaa99887766554433221100"
+  },
+  "signatures": [
+    {
+      "type": "dsse-inline",
+      "keyId": "schema-offline-pub",
+      "signature": "MEUCIQDkexampleSignedDigestx+deterministicSig==",
+      "envelopeDigest": "sha256:aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55"
+    }
+  ],
+  "determinism": {
+    "contentHash": "sha256:d3c3f6c75c6a3f0906bcee457cc77a2d6d7c0f9d1a1d7da78c0d2ab8e0dba111",
+    "idempotencyKey": "29d58b9fdc5c4e65b26c03f3bd9f442ff0c7f8514b8a9225f8b6417ffabc0101",
+    "canonVersion": "1"
+  }
+}