Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
This commit is contained in:
master
@@ -25,6 +25,51 @@ This guide captures the canonical signals emitted by Concelier and Excititor onc
|
||||
- **Stale ingestion:** Alert when `max_over_time(ingestion_latency_seconds_sum / ingestion_latency_seconds_count)[30m]` exceeds 30 s or if `ingestion_write_total` has no growth for > 60 min.
|
||||
- **Signature drop:** Warn when `rate(ingestion_signature_verified_total{result="fail"}[1h]) > 0`.
|
||||
|
||||
### 1.2 · `/obs/excititor/health`
|
||||
|
||||
`GET /obs/excititor/health` (scope `vex.admin`) returns a compact snapshot for Grafana tiles and Console widgets:
|
||||
|
||||
- `ingest` — overall status, worst lag (seconds), and the top connectors (status, lagSeconds, failure count, last success).
|
||||
- `link` — freshness of consensus/linkset processing plus document counts and the number currently carrying conflicts.
|
||||
- `signature` — recent coverage window (evaluated, with signatures, verified, failures, unsigned, coverage ratio).
|
||||
- `conflicts` — rolling totals grouped by status plus per-bucket trend data for charts.
|
||||
|
||||
```json
|
||||
{
|
||||
"generatedAt": "2025-11-08T11:00:00Z",
|
||||
"ingest": { "status": "healthy", "connectors": [ { "connectorId": "excititor:redhat", "lagSeconds": 45.3 } ] },
|
||||
"link": { "status": "warning", "lastConsensusAt": "2025-11-08T10:57:03Z" },
|
||||
"signature": { "status": "critical", "documentsEvaluated": 120, "verified": 30, "failures": 2 },
|
||||
"conflicts": { "status": "warning", "conflictStatements": 325, "trend": [ { "bucketStart": "2025-11-08T10:00:00Z", "conflicts": 130 } ] }
|
||||
}
|
||||
```
|
||||
|
||||
| Setting | Default | Purpose |
|
||||
|---------|---------|---------|
|
||||
| `Excititor:Observability:IngestWarningThreshold` | `06:00:00` | Connector lag before `ingest.status` becomes `warning`. |
|
||||
| `Excititor:Observability:IngestCriticalThreshold` | `24:00:00` | Connector lag before `ingest.status` becomes `critical`. |
|
||||
| `Excititor:Observability:LinkWarningThreshold` | `00:15:00` | Maximum acceptable delay between consensus recalculations. |
|
||||
| `Excititor:Observability:LinkCriticalThreshold` | `01:00:00` | Delay that marks link status as `critical`. |
|
||||
| `Excititor:Observability:SignatureWindow` | `12:00:00` | Lookback window for signature coverage. |
|
||||
| `Excititor:Observability:SignatureHealthyCoverage` | `0.8` | Coverage ratio that still counts as healthy. |
|
||||
| `Excititor:Observability:SignatureWarningCoverage` | `0.5` | Coverage ratio that flips the status to `warning`. |
|
||||
| `Excititor:Observability:ConflictTrendWindow` | `24:00:00` | Rolling window used for conflict aggregation. |
|
||||
| `Excititor:Observability:ConflictTrendBucketMinutes` | `60` | Resolution of conflict `trend` buckets. |
|
||||
| `Excititor:Observability:ConflictWarningRatio` | `0.15` | Fraction of consensus docs with conflicts that triggers `warning`. |
|
||||
| `Excititor:Observability:ConflictCriticalRatio` | `0.3` | Ratio that marks `conflicts.status` as `critical`. |
|
||||
| `Excititor:Observability:MaxConnectorDetails` | `50` | Number of connector entries returned (keeps payloads small). |
|
||||
|
||||
### 1.3 · Regression & DI hygiene
|
||||
|
||||
1. **Keep storage/integration tests green when telemetry touches persistence.**
|
||||
- `./tools/mongodb/local-mongo.sh start` downloads MongoDB 6.0.16 (if needed), launches `rs0`, and prints `export EXCITITOR_TEST_MONGO_URI=mongodb://.../excititor-tests`. Copy that export into your shell.
|
||||
- `./tools/mongodb/local-mongo.sh restart` is a shortcut for “stop if running, then start” using the same dataset—use it after tweaking config or when tests need a bounce without wiping fixtures.
|
||||
- `./tools/mongodb/local-mongo.sh clean` stops the instance (if running) and deletes the managed data/log directories so storage tests begin from a pristine catalog.
|
||||
- Run `dotnet test src/Excititor/__Tests/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj -nologo -v minimal` (add `--filter` if you only touched specific suites). These tests exercise the same write paths that feed the dashboards, so regressions show up immediately.
|
||||
- `./tools/mongodb/local-mongo.sh stop` when finished so CI/dev hosts stay clean; `status|logs|shell` are available for troubleshooting.
|
||||
2. **Declare optional Minimal API dependencies with `[FromServices] ... = null`.** RequestDelegateFactory treats `[FromServices] IVexSigner? signer = null` (or similar) as optional, so host startup succeeds even when tests have not registered that service. This pattern keeps observability endpoints cancellable while avoiding brittle test overrides.
|
||||
|
||||
|
||||
---
|
||||
|
||||
## 2 · Traces
|
||||
@@ -45,6 +90,35 @@ This guide captures the canonical signals emitted by Concelier and Excititor onc
|
||||
- Use `aoc.guard` spans to inspect guard payload snapshots. Sensitive fields are redacted automatically; raw JSON lives in secure logs only.
|
||||
- For scheduled verification, filter traces by `initiator="scheduled"` to compare runtimes pre/post change.
|
||||
|
||||
### 2.3 Telemetry configuration (Excititor)
|
||||
|
||||
- Configure the web service via `Excititor:Telemetry`:
|
||||
|
||||
```jsonc
|
||||
{
|
||||
"Excititor": {
|
||||
"Telemetry": {
|
||||
"Enabled": true,
|
||||
"EnableTracing": true,
|
||||
"EnableMetrics": true,
|
||||
"ServiceName": "stellaops-excititor-web",
|
||||
"OtlpEndpoint": "http://otel-collector:4317",
|
||||
"OtlpHeaders": {
|
||||
"Authorization": "Bearer ${OTEL_PUSH_TOKEN}"
|
||||
},
|
||||
"ResourceAttributes": {
|
||||
"env": "prod-us",
|
||||
"service.group": "ingestion"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
- Point the OTLP endpoint at the shared collector profile from §1 so Excititor metrics land in the `ingestion_*` dashboards next to Concelier. Resource attributes drive Grafana filtering (e.g., `env`, `service.group`).
|
||||
- For offline/air-gap bundles set `Enabled=false` and collect the file exporter artifacts from the Offline Kit; import them into Grafana after transfer to keep time-to-truth dashboards consistent.
|
||||
- Local development templates: run `tools/mongodb/local-mongo.sh start` to spin up a single-node replica set plus the matching `mongosh` client. The script prints the `export EXCITITOR_TEST_MONGO_URI=...` command that integration tests (e.g., `StellaOps.Excititor.Storage.Mongo.Tests`) will honor. Use `restart` for a quick bounce, `clean` to wipe data between suites, and `stop` when finished.
|
||||
|
||||
---
|
||||
|
||||
## 3 · Logs
|
||||
@@ -61,6 +135,13 @@ Structured logs include the following keys (JSON):
|
||||
| `violation.code` | Present when guard rejects `ERR_AOC_00x`. |
|
||||
| `verification.window` | Present on `/aoc/verify` job logs. |
|
||||
|
||||
Excititor APIs mirror these identifiers via response headers:
|
||||
|
||||
| Header | Purpose |
|
||||
| --- | --- |
|
||||
| `X-Stella-TraceId` | W3C trace/span identifier for deep-linking from Console → Grafana/Loki. |
|
||||
| `X-Stella-CorrelationId` | Stable correlation identifier (respects inbound header or falls back to the request trace ID). |
|
||||
|
||||
Logs are shipped to the central Loki/Elasticsearch cluster. Use the template query:
|
||||
|
||||
```logql
|
||||
|
||||
Reference in New Issue
Block a user