sprints completion. new product advisories prepared

2026-01-16 16:30:03 +02:00
parent a927d924e3
commit 4ca3ce8fb4
255 changed files with 42434 additions and 1020 deletions
--- a/docs/modules/policy/architecture.md
+++ b/docs/modules/policy/architecture.md
@@ -394,6 +394,9 @@ public sealed record GateResult
 | **SourceQuotaGate** | Prevent single-source dominance without corroboration | `gates.sourceQuota` |
 | **ReachabilityRequirementGate** | Require reachability proof for critical CVEs | `gates.reachabilityRequirement` |
 | **EvidenceFreshnessGate** | Reject stale evidence below freshness threshold | `gates.evidenceFreshness` |
+| **CvssThresholdGate** | Block findings above CVSS score threshold | `gates.cvssThreshold` |
+| **SbomPresenceGate** | Require valid SBOM for release artifacts | `gates.sbomPresence` |
+| **SignatureRequiredGate** | Require signatures on specified evidence types | `gates.signatureRequired` |

 #### MinimumConfidenceGate

@@ -466,6 +469,112 @@ gates:

 - **Behavior**: Fails when CRITICAL/HIGH CVE marked `not_affected` lacks reachability proof (unless bypass reason applies).

+#### CvssThresholdGate
+
+> **Sprint:** SPRINT_20260112_017_POLICY_cvss_threshold_gate
+
+Blocks findings above a configurable CVSS score threshold per environment:
+
+```yaml
+gates:
+  cvssThreshold:
+    enabled: true
+    priority: 15
+    defaultThreshold: 7.0
+    thresholds:
+      production: 7.0
+      staging: 8.0
+      development: 9.0
+    cvssVersionPreference: highest  # v3.1, v4.0, or highest
+    failOnMissingCvss: false
+    requireAllVersionsPass: false
+    allowlist:
+      - CVE-2024-XXXXX  # False positive
+    denylist:
+      - CVE-2024-YYYYY  # Always block
+```
+
+- **Behavior**: Fails when CVSS base score exceeds environment threshold.
+- **CVSS Versions**: Supports both CVSS v3.1 and v4.0; preference configurable.
+- **Allowlist**: CVEs that bypass threshold enforcement.
+- **Denylist**: CVEs that always fail regardless of score.
+- **Offline**: Operates without external lookups; uses injected or metadata scores.
+
+#### SbomPresenceGate
+
+> **Sprint:** SPRINT_20260112_017_POLICY_sbom_presence_gate
+
+Requires valid SBOM presence for release artifacts:
+
+```yaml
+gates:
+  sbomPresence:
+    enabled: true
+    priority: 5
+    enforcement:
+      production: required
+      staging: required
+      development: optional
+    acceptedFormats:
+      - spdx-2.3
+      - spdx-3.0.1
+      - cyclonedx-1.5
+      - cyclonedx-1.6
+    minimumComponents: 1
+    requireSignature: true
+    schemaValidation: true
+    requirePrimaryComponent: true
+```
+
+- **Enforcement Levels**: `required` (fail), `recommended` (warn), `optional` (pass).
+- **Format Validation**: Validates SBOM format against accepted list; normalizes format names.
+- **Schema Validation**: Validates SBOM against bundled JSON schemas.
+- **Signature Requirement**: Optionally requires signed SBOM.
+- **Minimum Components**: Ensures SBOM has meaningful inventory.
+
+#### SignatureRequiredGate
+
+> **Sprint:** SPRINT_20260112_017_POLICY_signature_required_gate
+
+Requires cryptographic signatures on specified evidence types:
+
+```yaml
+gates:
+  signatureRequired:
+    enabled: true
+    priority: 3
+    evidenceTypes:
+      sbom:
+        required: true
+        trustedIssuers:
+          - "*@company.com"
+          - "build-service@ci.example.com"
+        acceptedAlgorithms:
+          - ES256
+          - RS256
+      vex:
+        required: true
+        trustedIssuers:
+          - "*@vendor.com"
+      attestation:
+        required: true
+    enableKeylessVerification: true
+    fulcioRoots: /etc/stella/trust/fulcio-roots.pem
+    requireTransparencyLogInclusion: true
+    environments:
+      development:
+        requiredOverride: false
+        skipEvidenceTypes:
+          - sbom
+```
+
+- **Per-Evidence-Type**: Configure requirements per evidence type (SBOM, VEX, attestation).
+- **Issuer Constraints**: Wildcard support (`*@domain.com`) for email patterns.
+- **Algorithm Enforcement**: Limit accepted signature algorithms.
+- **Keyless (Fulcio)**: Support Sigstore keyless signatures with Fulcio certificate verification.
+- **Transparency Log**: Optionally require Rekor inclusion proof.
+- **Environment Overrides**: Relax requirements for non-production environments.
+
 #### Gate Registry

 Gates are registered via DI and evaluated in sequence:
@@ -496,6 +605,9 @@ public interface IPolicyGateRegistry
 | SourceQuotaGate | `src/Policy/__Libraries/StellaOps.Policy/Gates/SourceQuotaGate.cs` |
 | ReachabilityRequirementGate | `src/Policy/__Libraries/StellaOps.Policy/Gates/ReachabilityRequirementGate.cs` |
 | EvidenceFreshnessGate | `src/Policy/__Libraries/StellaOps.Policy/Gates/EvidenceFreshnessGate.cs` |
+| CvssThresholdGate | `src/Policy/__Libraries/StellaOps.Policy/Gates/CvssThresholdGate.cs` |
+| SbomPresenceGate | `src/Policy/__Libraries/StellaOps.Policy/Gates/SbomPresenceGate.cs` |
+| SignatureRequiredGate | `src/Policy/__Libraries/StellaOps.Policy/Gates/SignatureRequiredGate.cs` |

 See `etc/policy-gates.yaml.sample` for complete gate configuration options.