Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

etc/policy-engine.yaml.sample

@@ -1,33 +1,38 @@
-# StellaOps Policy Engine configuration template.
-# Copy to ../etc/policy-engine.yaml (relative to the Policy Engine content root)
-# and adjust values to fit your environment. Environment variables prefixed with
-# STELLAOPS_POLICY_ENGINE_ override these values at runtime.
-
-schemaVersion: 1
-
-authority:
-  enabled: true
-  issuer: "https://authority.stella-ops.local"
-  clientId: "policy-engine"
-  clientSecret: "change-me"
-  scopes: [ "policy:run", "findings:read", "effective:write" ]
-  backchannelTimeoutSeconds: 30
-
-storage:
-  connectionString: "mongodb://localhost:27017/policy-engine"
-  databaseName: "policy_engine"
-  commandTimeoutSeconds: 30
-
-workers:
-  schedulerIntervalSeconds: 15
-  maxConcurrentEvaluations: 4
-
-resourceServer:
-  authority: "https://authority.stella-ops.local"
-  requireHttpsMetadata: true
-  audiences: [ "api://policy-engine" ]
-  requiredScopes: [ "policy:run" ]
-  requiredTenants: [ ]
-  bypassNetworks:
-    - "127.0.0.1/32"
-    - "::1/128"
+# StellaOps Policy Engine configuration template.
+# Copy to ../etc/policy-engine.yaml (relative to the Policy Engine content root)
+# and adjust values to fit your environment. Environment variables prefixed with
+# STELLAOPS_POLICY_ENGINE_ override these values at runtime.
+
+schemaVersion: 1
+
+authority:
+  enabled: true
+  issuer: "https://authority.stella-ops.local"
+  clientId: "policy-engine"
+  clientSecret: "change-me"
+  scopes: [ "policy:run", "findings:read", "effective:write" ]
+  backchannelTimeoutSeconds: 30
+
+storage:
+  connectionString: "mongodb://localhost:27017/policy-engine"
+  databaseName: "policy_engine"
+  commandTimeoutSeconds: 30
+
+workers:
+  schedulerIntervalSeconds: 15
+  maxConcurrentEvaluations: 4
+
+activation:
+  forceTwoPersonApproval: false
+  defaultRequiresTwoPersonApproval: false
+  emitAuditLogs: true
+
+resourceServer:
+  authority: "https://authority.stella-ops.local"
+  requireHttpsMetadata: true
+  audiences: [ "api://policy-engine" ]
+  requiredScopes: [ "policy:run" ]
+  requiredTenants: [ ]
+  bypassNetworks:
+    - "127.0.0.1/32"
+    - "::1/128"

etc/rootpack/ru/crypto.profile.yaml

@@ -0,0 +1,30 @@
+StellaOps:
+  Crypto:
+    Registry:
+      ActiveProfile: ru-offline
+      PreferredProviders:
+        - default
+      Profiles:
+        ru-offline:
+          PreferredProviders:
+            - ru.cryptopro.csp
+            - ru.pkcs11
+    CryptoPro:
+      Keys:
+        - KeyId: ru-csp-default
+          LibraryPath: /opt/cprocsp/lib/amd64/libcapi20.so
+          ContainerLabel: CN=RootPack Signing
+          CertificateThumbprint: "<thumbprint>"
+    Pkcs11:
+      Keys:
+        - KeyId: ru-token-default
+          LibraryPath: /usr/local/lib/librutokenecp.so
+          SlotId: "0x1"
+          Pin: "${PKCS11_PIN}"
+          PrivateKeyLabel: rootpack-signing
+          CertificateThumbprint: "<thumbprint>"
+    Diagnostics:
+      Providers:
+        Enabled: true
+        Metrics:
+          LogLevel: Information

etc/signals.yaml.sample

@@ -23,6 +23,7 @@ Signals:
   Mongo:
     ConnectionString: "mongodb://localhost:27017/signals"
     Database: "signals"
-    CallgraphsCollection: "callgraphs"
+    CallgraphsCollection: "callgraphs"
+    ReachabilityFactsCollection: "reachability_facts"
   Storage:
     RootPath: "../data/signals-artifacts"