Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
This commit is contained in:
master
113
docs/security/crypto-routing-audit-2025-11-07.md
Normal file
113
docs/security/crypto-routing-audit-2025-11-07.md
Normal file
@@ -0,0 +1,113 @@
|
||||
# Crypto Routing Audit — 07 Nov 2025
|
||||
|
||||
**Scope.** Inventory direct uses of `System.Security.Cryptography` (and related primitives) outside the `StellaOps.Cryptography*` stack to identify callers that must be routed through sovereign-aware providers (default, PKCS#11, CryptoPro, future PQC).
|
||||
|
||||
**Method.** `rg -l "using System.Security.Cryptography" src | grep -Ev "__Tests|\.Tests/"` (filtered for runtime code). Counts reflect unique files per top-level module.
|
||||
|
||||
## Summary (runtime files by module)
|
||||
|
||||
| Module/Area | Files bypassing shared crypto |
|
||||
|-------------|------------------------------|
|
||||
| Concelier | 34 |
|
||||
| Scanner | 31 |
|
||||
| Authority | 20 |
|
||||
| Excititor | 18 |
|
||||
| Attestor | 18 |
|
||||
| EvidenceLocker | 10 |
|
||||
| Findings / Vuln Explorer | 7 |
|
||||
| Zastava | 6 |
|
||||
| ExportCenter| 6 |
|
||||
| Policy | 4 |
|
||||
| Scheduler | 3 |
|
||||
| CLI | 3 |
|
||||
| Bench | 3 |
|
||||
| AdvisoryAI | 3 |
|
||||
| Other (Notify, Registry, Signals, etc.) | 11 combined |
|
||||
|
||||
## Configuring `crypto.regionalProfiles`
|
||||
|
||||
All hosts can now express provider ordering and profile overrides via configuration:
|
||||
|
||||
```yaml
|
||||
Crypto:
|
||||
registry:
|
||||
preferredProviders:
|
||||
- default
|
||||
- ru.pkcs11
|
||||
activeProfile: ru-offline
|
||||
profiles:
|
||||
ru-offline:
|
||||
preferredProviders:
|
||||
- ru.cryptopro.csp
|
||||
- ru.pkcs11
|
||||
pkcs11:
|
||||
keys:
|
||||
- keyId: ru-slot-token
|
||||
libraryPath: /usr/local/lib/librutokenecp.so
|
||||
slotId: "0x1"
|
||||
privateKeyLabel: signing-key
|
||||
certificateThumbprint: "<thumbprint>"
|
||||
cryptopro:
|
||||
keys:
|
||||
- keyId: ru-csp-token
|
||||
libraryPath: /opt/cprocsp/lib/libcapi20.so
|
||||
containerLabel: KRYPTO_PRO_KEY
|
||||
certificateThumbprint: "<thumbprint>"
|
||||
```
|
||||
|
||||
Each deployment picks a profile (`activeProfile`) that resolves to a deterministic provider order, and individual services call into `ICryptoProviderRegistry` rather than new-ing crypto stacks directly.
|
||||
|
||||
## Inspecting providers from the CLI
|
||||
|
||||
`stellaops crypto providers` now lists the registered providers, signing algorithms, certificate metadata, and the current preferred order. Use `--json` for machine-readable output or `--profile <name>` to preview another profile (e.g., `ru-offline`) before flipping configuration.
|
||||
|
||||
## High-priority hotspots
|
||||
|
||||
### Concelier (ingestion + mirror connectors)
|
||||
- `src/Concelier/StellaOps.Concelier.WebService/Services/OpenApiDiscoveryDocumentProvider.cs` – builds SHA256 hashes for discovery docs inline.
|
||||
- `src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/Security/MirrorSignatureVerifier.cs` – performs RSA verification directly.
|
||||
- `src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Nkcki/RuNkckiConnector.cs` and `.Ru.Bdu` – local hash/signature handling for regional advisories.
|
||||
|
||||
**Action:** Introduce `ICryptoProviderRegistry` consumption inside connector/lib assemblies (probably through lightweight adapter service). File follow-up tasks in `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` and connector TASK boards to migrate hashing/signing to the new PKCS#11/CryptoPro providers (priority for RU feeds to unblock RootPack_RU).
|
||||
|
||||
### Scanner (web service, worker, Sbomer plug-ins)
|
||||
- `src/Scanner/StellaOps.Scanner.WebService/Utilities/ScanIdGenerator.cs` – direct SHA256 for id derivation.
|
||||
- `src/Scanner/StellaOps.Scanner.WebService/Services/ReportSigner.cs` – uses `ECDsa.Create()` directly for DSSE hand-off.
|
||||
- `src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/SurfaceManifestPublisher.cs` – manual digesting before CAS writes.
|
||||
|
||||
**Action:** Create shared `IScanCryptoService` backed by `ICryptoProviderRegistry` so both web service and worker reuse sovereign providers. Add tasks under `src/Scanner/StellaOps.Scanner.WebService/TASKS.md` and `src/Scanner/StellaOps.Scanner.Worker/TASKS.md`.
|
||||
|
||||
### Authority (plugins + signing host)
|
||||
- `StellaOps.Authority/Signing/*` classes still load PEM/PKCS#12 directly via `X509Certificate2` and `RSA`.
|
||||
- `AuthoritySecretHasher` and `AuthorityClientCertificateValidator` maintain custom hashing.
|
||||
|
||||
**Action:** Wire Authority signing/loading paths to `ICryptoProviderRegistry` so active keys can point to `ru.cryptopro.csp` or `ru.pkcs11`. Open tasks in `src/Authority/StellaOps.Authority/TASKS.md` covering: signing key loading, JWKS generation, secret hashing migration.
|
||||
|
||||
### Excititor / Attestor
|
||||
- Excititor connectors (e.g., `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ghsa/GhsaConnector.cs`) re-hash payloads in place.
|
||||
- Attestor submission cache uses SHA256 for bundle ids.
|
||||
|
||||
**Action:** Introduce shared hashing helper that internally calls `ICryptoProviderRegistry.ResolveOrThrow(CryptoCapability.Signing, SignatureAlgorithms.GostR3410_2012_256)` for digest+sign combos; log follow-ups in respective TASK boards.
|
||||
|
||||
### Evidence Locker / Export Center
|
||||
- Export packaging code manually builds SHA/V1 digests before signing manifests.
|
||||
|
||||
**Action:** Add backlog tasks for both modules to replace `SHA256.Create()` usage with provider-backed hashing (especially for offline bundle sealing).
|
||||
|
||||
## Next steps
|
||||
1. **Open remediation tasks per module** referencing this audit (minimum: Concelier, Scanner, Authority, Excititor, Attestor, Evidence Locker, Export Center). Each task should specify which files to migrate and target provider (default vs sovereign).
|
||||
2. **Provide shared helpers** (e.g., `ICryptoDigestService`, `ICasSigner`) in `StellaOps.Cryptography` to ease adoption and avoid each module talking to the registry manually.
|
||||
3. **Follow-up audit** once migrations land; rerun the command and ensure only `StellaOps.Cryptography*` and vetted crypto libraries contain direct `System.Security.Cryptography` usage.
|
||||
4. **RootPack validation runbook** — see `docs/security/rootpack_ru_validation.md` for deterministic tests, hardware validation, and required audit artifacts before shipping RootPack_RU.
|
||||
|
||||
### Remediation tracking snapshot (2025-11-08)
|
||||
|
||||
- **Authority:** `AUTH-CRYPTO-90-001` (Authority TASKS board)
|
||||
- **Scanner:** `SCANNER-CRYPTO-90-001` (WebService TASKS board)
|
||||
- **Concelier:** `CONCELIER-CRYPTO-90-001` (WebService TASKS board)
|
||||
- **Excititor:** `EXCITITOR-CRYPTO-90-001` (WebService TASKS board)
|
||||
- **Attestor:** `ATTESTOR-CRYPTO-90-001` (Attestor TASKS board)
|
||||
- **Evidence Locker:** `EVID-CRYPTO-90-001` (Evidence Locker TASKS board)
|
||||
- **Export Center:** `EXPORT-CRYPTO-90-001` (Exporter Service TASKS board)
|
||||
|
||||
> Stored query artifacts: `/tmp/crypto_runtime_non_tests.txt` (157 runtime files) and aggregated counts above prepared on 2025-11-07.
|
||||
Reference in New Issue
Block a user