stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add tests for SBOM generation determinism across multiple formats

Browse Source 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
This commit is contained in:
master
2025-12-23 18:56:12 +02:00
committed by StellaOps Bot
parent 7ac70ece71
commit 491e883653
409 changed files with 23797 additions and 17779 deletions
Download Patch File Download Diff File Expand all files Collapse all files

504
docs/04_FEATURE_MATRIX.md
View File

@@ -1,39 +1,477 @@
#4 · FeatureMatrix — **StellaOps**
*(rev2.0 · 14Jul2025)*
# 4 · Feature Matrix — **Stella Ops**
*(rev 4.0 · 24 Dec 2025)*
> **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.
| Category | Capability | Free Tier (≤333 scans/day) | Community Plugin | Commercial AddOn | Notes / ETA |
| ---------------------- | ------------------------------------- | ----------------------------- | ----------------- | ------------------- | ------------------------------------------ |
| **SBOM Ingestion** | TrivyJSON, SPDXJSON, CycloneDXJSON | ✅ | — | — | Autodetect on upload |
| | **DeltaSBOM Cache** | ✅ | — | — | Warm scans <1s |
| **Scanning** | CVE lookup via local DB | | | | Update job ships weekly feeds |
| | Licencerisk detection |  (roadmap Q42025) | | | SPDX licence list |
| **Policy Engine** | YAML rules | | | | InUI editor |
| | OPA / Rego |  (βQ12026) | plugin | | Plugin enables Rego |
| **Registry** | Anonymous internal registry | | | | `StellaOps.Registry` image |
| **Attestation** | Cosign signing |  (Q12026) | | | Requires `StellaOpsAttestor` |
| | SLSA provenance v1.0 | | |  (commercial 2026) | Enterprise need |
| | Rekor transparency log | | plugin | | Airgap replica support |
| **Quota & Throttling** | {{ quota_token }} scans/day soft limit | | | | Yellow banner at200, waitwall postlimit |
| | Usage API (`/quota`) | | | | CI can poll remaining scans |
| **User Interface** | Dark / light mode | | | | Autodetect OS theme |
| | Additional locale (Cyrillic) | | | | Default if `AcceptLanguage: bg` or any other |
| | Audit trail | | | | PostgreSQL history |
| **Deployment** | Docker Compose bundle | | | | Singlenode |
| | Helm chart (K8s) | | | | Horizontal scaling |
| | Highavailability split services | | | (AddOn) | HA Redis & PostgreSQL |
| **Extensibility** | .NET hotload plugins | | N/A | | AGPL reference SDK |
| | Community plugin marketplace | |  (βQ22026) | | Moderated listings |
| **Telemetry** | Optin anonymous metrics | | | | Required for quota satisfaction KPI |
| **Quota & Tokens** | **ClientJWT issuance** | (online 12h token) | | | `/connect/token` |
| | **Offline ClientJWT (30d)** | via OUK | | | Refreshed monthly in OUK |
| **Reachability & Evidence** | Graph-level reachability DSSE |  (Q12026) | | | Mandatory attestation per graph; CAS+Rekor; see `docs/reachability/hybrid-attestation.md`. |
| | Edge-bundle DSSE (selective) |  (Q22026) | | | Optional bundles for runtime/init/contested edges; Rekor publish capped. |
| | Cross-scanner determinism bench |  (Q12026) | | | CI bench from 23-Nov advisory; determinism rate + CVSS σ. |
---
> **Legend:** ✅ =Included=Planned=Not applicable
> Rows marked “Commercial AddOn” are optional paid components shipping outside the AGPLcore; everything else is FOSS.
## Pricing Tiers Overview
| Tier | Scans/Day | Registration | Token Refresh | Target User | Price |
|------|-----------|--------------|---------------|-------------|-------|
| **Free** | 33 | None | 12h auto | Individual developer | $0 |
| **Community** | 333 | Required | 30d manual | Startups, small teams (<25) | $0 |
| **Enterprise** | 2,000+ | SSO/Contract | Annual | Organizations (25+), regulated | Contact Sales |
**Key Differences:**
- **Free Community**: Same features, 10× quota, requires registration
- **Community Enterprise**: Compliance, scale, multi-team, support
---
*Last updated: 14 Jul 2025 (quota rev2.0).*
## Competitive Moat Features
*These differentiators are available across all tiers to build brand and adoption.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Signed Replayable Risk Verdicts | | | | Core differentiator |
| Decision Capsules | | | | Audit-grade evidence bundles |
| VEX Decisioning Engine | | | | Trust lattice + conflict resolution |
| Reachability with Portable Proofs | | | | Three-layer analysis |
| Smart-Diff (Semantic Risk Delta) | | | | Material change detection |
| Unknowns as First-Class State | | | | Uncertainty budgets |
| Deterministic Replay | | | | `stella replay srm.yaml` |
---
## SBOM & Ingestion
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Trivy-JSON Ingestion | | | | |
| SPDX-JSON 3.0.1 Ingestion | | | | |
| CycloneDX 1.6/1.7 Ingestion | | | | |
| Auto-format Detection | | | | |
| Delta-SBOM Cache | | | | Warm scans <1s |
| SBOM Generation (all formats) | | | | |
| Semantic SBOM Diff | | | | |
| BYOS (Bring-Your-Own-SBOM) | | | | |
| **SBOM Lineage Ledger** | | | | Full versioned history |
| **SBOM Lineage API** | | | | Traversal queries |
---
## Scanning & Detection
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVE Lookup via Local DB | | | | |
| Licence-Risk Detection | | | | Q4-2025 |
| **Language Analyzers (All 8)** | | | | |
| .NET/C#, Java, Go, Python | | | | |
| Node.js, Ruby, Bun, Native | | | | |
| **Progressive Fidelity Modes** | | | | |
| Quick Mode | | | | |
| Standard Mode | | | | |
| Deep Mode | | | | Full analysis |
| Base Image Detection | | | | |
| Layer-Aware Analysis | | | | |
| **Concurrent Scan Workers** | 1 | 3 | Unlimited | |
---
## Reachability Analysis
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Static Call Graph | | | | |
| Entrypoint Detection | | | | 9+ framework types |
| BFS Reachability | | | | |
| Reachability Drift Detection | | | | |
| Binary Loader Resolution | | | | ELF/PE/Mach-O |
| Feature Flag/Config Gating | | | | Layer 3 analysis |
| Runtime Signal Correlation | | | | Zastava integration |
| Gate Detection (auth/admin) | | | | Enterprise policies |
| Path Witness Generation | | | | Audit evidence |
| Reachability Mini-Map API | | | | UI visualization |
| Runtime Timeline API | | | | Temporal analysis |
---
## Binary Analysis (BinaryIndex)
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Binary Identity Extraction | | | | Build-ID, hashes |
| Build-ID Vulnerability Lookup | | | | |
| Debian/Ubuntu Corpus | | | | |
| RPM/RHEL Corpus | | | | |
| Patch-Aware Backport Detection | | | | |
| PE/Mach-O/ELF Parsers | | | | |
| **Binary Fingerprint Generation** | | | | Advanced detection |
| **Fingerprint Matching Engine** | | | | Similarity search |
| **DWARF/Symbol Analysis** | | | | Debug symbols |
---
## Advisory Sources (Concelier)
| Source | Free | Community | Enterprise | Notes |
|--------|:----:|:---------:|:----------:|-------|
| NVD | | | | |
| GHSA | | | | |
| OSV | | | | |
| Alpine SecDB | | | | |
| Debian Security Tracker | | | | |
| Ubuntu USN | | | | |
| RHEL/CentOS OVAL | | | | |
| KEV (Exploited Vulns) | | | | |
| EPSS v4 | | | | |
| **Custom Advisory Connectors** | | | | Private feeds |
| **Advisory Merge Engine** | | | | Conflict resolution |
---
## VEX Processing (Excititor)
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| OpenVEX Ingestion | | | | |
| CycloneDX VEX Ingestion | | | | |
| CSAF VEX Ingestion | | | | |
| VEX Consensus Resolver | | | | |
| Trust Vector Scoring (P/C/R) | | | | |
| Claim Strength Multipliers | | | | |
| Freshness Decay | | | | |
| **Conflict Detection & Penalty** | | | | K4 lattice logic |
| **VEX Conflict Studio UI** | | | | Visual resolution |
| **Trust Calibration Service** | | | | Org-specific tuning |
| **VEX Hub (Distribution)** | | | | Internal VEX network |
---
## Policy Engine
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| YAML Policy Rules | | | | Basic rules |
| Belnap K4 Four-Valued Logic | | | | |
| Security Atoms (6 types) | | | | |
| Disposition Selection (ECMA-424) | | | | |
| Minimum Confidence Gate | | | | |
| Unknowns Budget Gate | | | | |
| Source Quota Gate | | | | 60% cap enforcement |
| Reachability Requirement Gate | | | | For criticals |
| **OPA/Rego Integration** | | | | Custom policies |
| **Exception Objects & Workflow** | | | | Approval chains |
| **Score Policy YAML** | | | | Full customization |
| **Configurable Scoring Profiles** | | | | Simple/Advanced |
| **Policy Version History** | | | | Audit trail |
---
## Attestation & Signing
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| DSSE Envelope Signing | | | | |
| in-toto Statement Structure | | | | |
| SBOM Predicate | | | | |
| VEX Predicate | | | | |
| Reachability Predicate | | | | |
| Policy Decision Predicate | | | | |
| Verdict Manifest (signed) | | | | |
| Verdict Replay Verification | | | | |
| **Human Approval Predicate** | | | | Workflow attestation |
| **Boundary Predicate** | | | | Network exposure |
| **Key Rotation Management** | | | | Enterprise key ops |
| **SLSA Provenance v1.0** | | | | Supply chain |
| **Rekor Transparency Log** | | | | Public attestation |
| **Cosign Integration** | | | | Sigstore ecosystem |
---
## Regional Crypto (Sovereign Profiles)
*Compliance features for regulated industries.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Default Crypto (Ed25519) | | | | |
| **FIPS 140-2/3 Mode** | | | | US Federal |
| **eIDAS Signatures** | | | | EU Compliance |
| **GOST/CryptoPro** | | | | Russia |
| **SM National Standard** | | | | China |
| **Post-Quantum (Dilithium)** | | | | Future-proof |
| **Crypto Plugin Architecture** | | | | Custom HSM |
---
## Determinism & Reproducibility
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Canonical JSON Serialization | | | | |
| Content-Addressed IDs | | | | SHA-256 |
| Replay Manifest (SRM) | | | | |
| `stella replay` CLI | | | | |
| Score Explanation Arrays | | | | |
| Evidence Freshness Multipliers | | | | |
| Proof Coverage Metrics | | | | |
| **Fidelity Metrics (BF/SF/PF)** | | | | Audit dashboards |
| **FN-Drift Rate Tracking** | | | | Quality monitoring |
| **Determinism Gate CI** | | | | Automated checks |
---
## Scoring & Risk Assessment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVSS v4.0 Display | | | | |
| EPSS v4 Probability | | | | |
| Priority Band Classification | | | | |
| EPSS-at-Scan Immutability | | | | |
| Unified Confidence Model | | | | 5-factor |
| **Entropy-Based Scoring** | | | | Advanced |
| **Gate Multipliers** | | | | Reachability-aware |
| **Unknowns Pressure Factor** | | | | Risk budgets |
| **Custom Scoring Profiles** | | | | Org-specific |
---
## Evidence & Findings
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Findings List | | | | |
| Evidence Graph View | | | | Basic |
| Decision Capsules | | | | |
| **Findings Ledger (Immutable)** | | | | Audit trail |
| **Evidence Locker (Sealed)** | | | | Export/import |
| **Evidence TTL Policies** | | | | Retention rules |
| **Evidence Size Budgets** | | | | Storage governance |
| **Retention Tiers** | | | | Hot/Warm/Cold |
| **Privacy Controls** | | | | Redaction |
| **Audit Pack Export** | | | | Compliance bundles |
---
## CLI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Scanner Commands | | | | |
| SBOM Inspect & Diff | | | | |
| Deterministic Replay | | | | |
| Attestation Verify | | | | |
| Unknowns Budget Check | | | | |
| Evidence Export | | | | |
| **Audit Pack Operations** | | | | Full workflow |
| **Binary Match Inspection** | | | | Advanced |
| **Crypto Plugin Commands** | | | | Regional crypto |
| **Admin Utilities** | | | | Ops tooling |
---
## Web UI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Dark/Light Mode | | | | |
| Findings Row Component | | | | |
| Evidence Drawer | | | | |
| Proof Tab | | | | |
| Confidence Meter | | | | |
| Locale Support | | | | Cyrillic, etc. |
| Reproduce Verdict Button | | | | |
| **Audit Trail UI** | | | | Full history |
| **Trust Algebra Panel** | | | | P/C/R visualization |
| **Claim Comparison Table** | | | | Conflict view |
| **Policy Chips Display** | | | | Gate status |
| **Reachability Mini-Map** | | | | Path visualization |
| **Runtime Timeline** | | | | Temporal view |
| **Operator/Auditor Toggle** | | | | Role separation |
| **Knowledge Snapshot UI** | | | | Air-gap prep |
| **Keyboard Shortcuts** | | | | Power users |
---
## Quota & Operations
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| **Scans per Day** | **33** | **333** | **2,000+** | Soft limit |
| Usage API (`/quota`) | | | | |
| Client-JWT (Online) | 12h | 30d | Annual | Token duration |
| Rate Limiting | | | | |
| 429 Backpressure | | | | |
| Retry-After Headers | | | | |
| **Priority Queue** | | | | Guaranteed capacity |
| **Burst Allowance** | | | | 3× daily for 1hr |
| **Custom Quotas** | | | | Per contract |
---
## Offline & Air-Gap
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Offline Update Kits (OUK) | | Monthly | Weekly | Feed freshness |
| Offline Signature Verify | | | | |
| One-Command Replay | | | | |
| **Sealed Knowledge Snapshots** | | | | Full feed export |
| **Air-Gap Bundle Manifest** | | | | Transfer packages |
| **No-Egress Enforcement** | | | | Strict isolation |
| **Offline JWT (90d)** | | | | Extended tokens |
---
## Deployment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Docker Compose | | | | Single-node |
| Helm Chart (K8s) | | | | |
| PostgreSQL 16+ | | | | |
| Valkey 8.0+ | | | | |
| RustFS (S3) | | | | |
| **High-Availability** | | | | Multi-replica |
| **Horizontal Scaling** | | | | Auto-scale |
| **Dedicated Capacity** | | | | Reserved resources |
---
## Access Control & Identity
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Auth | | | | |
| API Keys | | | | |
| **SSO/SAML Integration** | | | | Okta, Azure AD |
| **OIDC Support** | | | | |
| **Advanced RBAC** | | | | Team-based |
| **Multi-Tenant Management** | | | | Org hierarchy |
| **Audit Log Export** | | | | SIEM integration |
---
## Notifications & Integrations
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Email Notifications | | | | |
| In-App Notifications | | | | |
| EPSS Change Alerts | | | | |
| **Slack Integration** | | | | Enterprise Grid |
| **Teams Integration** | | | | Enterprise |
| **Custom Webhooks** | | | | Any endpoint |
| **CI/CD Gates** | | | | GitLab/GitHub/Jenkins |
| **Zastava Registry Hooks** | | | | Auto-scan on push |
---
## Scheduling & Automation
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Manual Scans | | | | |
| **Scheduled Scans** | | | | Cron-based |
| **Task Pack Orchestration** | | | | Declarative workflows |
| **EPSS Daily Refresh** | | | | Auto-update |
| **Event-Driven Scanning** | | | | On registry push |
---
## Observability & Telemetry
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Metrics | | | | |
| Opt-In Telemetry | | | | |
| **OpenTelemetry Traces** | | | | Full tracing |
| **Prometheus Export** | | | | Custom dashboards |
| **Quality KPIs Dashboard** | | | | Triage metrics |
| **SLA Monitoring** | | | | Uptime tracking |
---
## Support & Services
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Documentation | | | | |
| Community Forums | | | | |
| GitHub Issues | | | | |
| **Email Support** | | | | Business hours |
| **Priority Support** | | | | 4hr response |
| **24/7 Critical Support** | | | | Add-on |
| **Dedicated CSM** | | | | Named contact |
| **Professional Services** | | | | Implementation |
| **Training & Certification** | | | | Team enablement |
| **SLA Guarantee** | | | | 99.9% uptime |
---
## Version Comparison
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| RPM (NEVRA) | | | | |
| Debian (EVR) | | | | |
| Alpine (APK) | | | | |
| SemVer | | | | |
| PURL Resolution | | | | |
---
## Summary by Tier
### Free Tier (33 scans/day)
**Target:** Individual developers, OSS contributors, evaluation
- All language analyzers
- Basic scanning and SBOM generation
- Core determinism features
- Basic VEX and policy
- Docker Compose deployment
- Community support
### Community Tier (333 scans/day)
**Target:** Startups, small teams (<25), active open source projects
Everything in Free, plus:
- 10× scan quota
- Deep analysis mode
- Binary analysis basics
- Advanced attestation predicates
- Helm/K8s deployment
- Email notifications
- Monthly OUK access
**Registration required, 30-day token renewal**
### Enterprise Tier (2,000+ scans/day)
**Target:** Organizations 25+, regulated industries, compliance-driven
Everything in Community, plus:
- **Compliance**: Regional crypto (FIPS/eIDAS/GOST/SM), SLSA, Rekor
- **Scale**: HA, horizontal scaling, priority queue
- **Access**: SSO/SAML, advanced RBAC, multi-tenant
- **Advanced**: Binary fingerprints, trust calibration, custom policies
- **Air-Gap**: Sealed snapshots, extended offline tokens
- **Integration**: Enterprise Slack/Teams, CI/CD gates, webhooks
- **Support**: SLA, priority support, dedicated CSM
---
## Statistics Summary
| Metric | Value |
|--------|-------|
| **Total Features** | 150+ |
| **Free Tier Features** | ~45 |
| **Community Tier Features** | ~85 |
| **Enterprise Tier Features** | 150+ |
| **Language Analyzers** | 8 (all tiers) |
| **Advisory Sources** | 9 (Free), 10 (Community), 11+ (Enterprise) |
| **Crypto Profiles** | 1 (Free/Community), 6 (Enterprise) |
---
> **Legend:** ✅ = Included | — = Not available | ⏳ = Planned
---
*Last updated: 24 Dec 2025 (rev 4.0 - Tiered Commercial Model)*