Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

deploy/helm/stellaops/templates/core.yaml

@@ -1,5 +1,12 @@
-{{- $root := . -}}
-{{- range $name, $svc := .Values.services }}
+{{- $root := . -}}
+{{- $configMaps := default (dict) .Values.configMaps -}}
+{{- $hasPolicyActivationConfig := hasKey $configMaps "policy-engine-activation" -}}
+{{- $policyActivationConfigName := "" -}}
+{{- if $hasPolicyActivationConfig -}}
+{{- $policyActivationConfigName = include "stellaops.fullname" (dict "root" $root "name" "policy-engine-activation") -}}
+{{- end -}}
+{{- $policyActivationTargets := dict "policy-engine" true "policy-gateway" true -}}
+{{- range $name, $svc := .Values.services }}
 {{- $configMounts := (default (list) $svc.configMounts) }}
 apiVersion: apps/v1
 kind: Deployment
@@ -36,18 +43,31 @@ spec:
             - {{ $arg | quote }}
 {{- end }}
 {{- end }}
-{{- if $svc.env }}
-          env:
-{{- range $envName, $envValue := $svc.env }}
-            - name: {{ $envName }}
-              value: {{ $envValue | quote }}
-{{- end }}
-{{- end }}
-{{- if $svc.envFrom }}
-          envFrom:
-{{ toYaml $svc.envFrom | nindent 12 }}
-{{- end }}
-{{- if $svc.ports }}
+{{- if $svc.env }}
+          env:
+{{- range $envName, $envValue := $svc.env }}
+            - name: {{ $envName }}
+              value: {{ $envValue | quote }}
+{{- end }}
+{{- end }}
+{{- $needsPolicyActivation := and $hasPolicyActivationConfig (hasKey $policyActivationTargets $name) }}
+{{- $envFrom := default (list) $svc.envFrom }}
+{{- if and $needsPolicyActivation (ne $policyActivationConfigName "") }}
+{{- $hasActivationReference := false }}
+{{- range $envFromEntry := $envFrom }}
+  {{- if and (hasKey $envFromEntry "configMapRef") (eq (index (index $envFromEntry "configMapRef") "name") $policyActivationConfigName) }}
+    {{- $hasActivationReference = true }}
+  {{- end }}
+{{- end }}
+{{- if not $hasActivationReference }}
+{{- $envFrom = append $envFrom (dict "configMapRef" (dict "name" $policyActivationConfigName)) }}
+{{- end }}
+{{- end }}
+{{- if $envFrom }}
+          envFrom:
+{{ toYaml $envFrom | nindent 12 }}
+{{- end }}
+{{- if $svc.ports }}
           ports:
 {{- range $port := $svc.ports }}
             - name: {{ default (printf "%s-%v" $name $port.containerPort) $port.name | trunc 63 | trimSuffix "-" }}

deploy/helm/stellaops/values-airgap.yaml

@@ -51,6 +51,13 @@ configMaps:
         telemetry:
           enableRequestLogging: true
           minimumLogLevel: Warning
+  policy-engine-activation:
+    data:
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__FORCETWOPERSONAPPROVAL: "true"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__DEFAULTREQUIRESTWOPERSONAPPROVAL: "true"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__EMITAUDITLOGS: "true"
+
+
 services:
   authority:
     image: registry.stella-ops.org/stellaops/authority@sha256:5551a3269b7008cd5aceecf45df018c67459ed519557ccbe48b093b926a39bcc

deploy/helm/stellaops/values-dev.yaml

@@ -58,6 +58,11 @@ configMaps:
         telemetry:
           enableRequestLogging: true
           minimumLogLevel: Debug
+  policy-engine-activation:
+    data:
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__FORCETWOPERSONAPPROVAL: "false"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__DEFAULTREQUIRESTWOPERSONAPPROVAL: "false"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__EMITAUDITLOGS: "true"
 services:
   authority:
     image: registry.stella-ops.org/stellaops/authority@sha256:a8e8faec44a579aa5714e58be835f25575710430b1ad2ccd1282a018cd9ffcdd

deploy/helm/stellaops/values-mirror.yaml

@@ -106,11 +106,18 @@ configMaps:
             proxy_cache off;
         }
 
-        location / {
-            return 404;
-        }
-
-services:
+        location / {
+            return 404;
+        }
+
+
+  policy-engine-activation:
+    data:
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__FORCETWOPERSONAPPROVAL: "true"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__DEFAULTREQUIRESTWOPERSONAPPROVAL: "true"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__EMITAUDITLOGS: "true"
+
+services:
   concelier:
     image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085
     service:

deploy/helm/stellaops/values-prod.yaml

@@ -52,6 +52,11 @@ configMaps:
         telemetry:
           enableRequestLogging: true
           minimumLogLevel: Information
+  policy-engine-activation:
+    data:
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__FORCETWOPERSONAPPROVAL: "true"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__DEFAULTREQUIRESTWOPERSONAPPROVAL: "true"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__EMITAUDITLOGS: "true"
 services:
   authority:
     image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5

deploy/helm/stellaops/values-stage.yaml

@@ -58,6 +58,11 @@ configMaps:
         telemetry:
           enableRequestLogging: true
           minimumLogLevel: Information
+  policy-engine-activation:
+    data:
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__FORCETWOPERSONAPPROVAL: "true"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__DEFAULTREQUIRESTWOPERSONAPPROVAL: "true"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__EMITAUDITLOGS: "true"
 services:
   authority:
     image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5

deploy/helm/stellaops/values.yaml

@@ -61,6 +61,12 @@ configMaps:
             issuerTrustCollection: issuer_trust_overrides
             auditCollection: issuer_audit
 
+  policy-engine-activation:
+    data:
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__FORCETWOPERSONAPPROVAL: "false"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__DEFAULTREQUIRESTWOPERSONAPPROVAL: "false"
+      STELLAOPS_POLICY_ENGINE__ACTIVATION__EMITAUDITLOGS: "true"
+
 services:
   issuer-directory:
     image: registry.stella-ops.org/stellaops/issuer-directory-web:2025.10.0-edge