stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.
This commit is contained in:
master
2025-11-08 20:53:45 +02:00
parent 515975edc5
commit 536f6249a6
837 changed files with 37279 additions and 14675 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
src/Policy/StellaOps.Policy.Engine/Services/PolicyActivationAuditor.cs Normal file
View File

@@ -0,0 +1,100 @@
using System;
using System.Collections.Generic;
using System.Linq;
using Microsoft.Extensions.Logging;
using StellaOps.Policy.Engine.Domain;
using StellaOps.Policy.Engine.Options;
namespace StellaOps.Policy.Engine.Services;
internal interface IPolicyActivationAuditor
{
void RecordActivation(
string packId,
int version,
string actorId,
string? tenantId,
PolicyActivationResult result,
string? comment);
}
internal sealed class PolicyActivationAuditor : IPolicyActivationAuditor
{
private const int CommentLimit = 512;
private readonly PolicyEngineOptions options;
private readonly ILogger<PolicyActivationAuditor> logger;
public PolicyActivationAuditor(
PolicyEngineOptions options,
ILogger<PolicyActivationAuditor> logger)
{
this.options = options ?? throw new ArgumentNullException(nameof(options));
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public void RecordActivation(
string packId,
int version,
string actorId,
string? tenantId,
PolicyActivationResult result,
string? comment)
{
if (!options.Activation.EmitAuditLogs)
{
return;
}
ArgumentNullException.ThrowIfNull(packId);
ArgumentNullException.ThrowIfNull(actorId);
ArgumentNullException.ThrowIfNull(result);
var normalizedStatus = NormalizeStatus(result.Status);
var scope = new Dictionary<string, object?>
{
["policy.pack_id"] = packId,
["policy.revision"] = version,
["policy.activation.status"] = normalizedStatus,
["policy.activation.actor"] = actorId
};
if (!string.IsNullOrWhiteSpace(tenantId))
{
scope["policy.tenant"] = tenantId;
}
if (!string.IsNullOrWhiteSpace(comment))
{
scope["policy.activation.comment"] = Truncate(comment!, CommentLimit);
}
if (result.Revision is { } revision)
{
scope["policy.activation.requires_two_person"] = revision.RequiresTwoPersonApproval;
scope["policy.activation.approval_count"] = revision.Approvals.Length;
if (revision.Approvals.Length > 0)
{
scope["policy.activation.approvers"] = revision.Approvals
.Select(static approval => approval.ActorId)
.Where(static actor => !string.IsNullOrWhiteSpace(actor))
.ToArray();
}
}
using (logger.BeginScope(scope))
{
logger.LogInformation(
"Policy activation {PackId}/{Revision} completed with status {Status}.",
packId,
version,
normalizedStatus);
}
}
private static string NormalizeStatus(PolicyActivationResultStatus status)
=> status.ToString().ToLowerInvariant();
private static string Truncate(string value, int maxLength)
=> value.Length <= maxLength ? value : value[..maxLength];
}

34
src/Policy/StellaOps.Policy.Engine/Services/PolicyActivationSettings.cs Normal file
View File

@@ -0,0 +1,34 @@
using System;
using StellaOps.Policy.Engine.Options;
namespace StellaOps.Policy.Engine.Services;
internal interface IPolicyActivationSettings
{
bool ResolveRequirement(bool? requested);
}
internal sealed class PolicyActivationSettings : IPolicyActivationSettings
{
private readonly PolicyEngineOptions options;
public PolicyActivationSettings(PolicyEngineOptions options)
{
this.options = options ?? throw new ArgumentNullException(nameof(options));
}
public bool ResolveRequirement(bool? requested)
{
if (options.Activation.ForceTwoPersonApproval)
{
return true;
}
if (requested.HasValue)
{
return requested.Value;
}
return options.Activation.DefaultRequiresTwoPersonApproval;
}
}

158
src/Policy/StellaOps.Policy.Engine/Services/PolicyCompilationService.cs
View File

@@ -1,6 +1,9 @@
using System.Collections.Immutable;
using StellaOps.Policy;
using StellaOps.Policy.Engine.Compilation;
using System;
using System.Collections.Immutable;
using Microsoft.Extensions.Options;
using StellaOps.Policy;
using StellaOps.Policy.Engine.Compilation;
using StellaOps.Policy.Engine.Options;
namespace StellaOps.Policy.Engine.Services;
@@ -8,14 +11,24 @@ namespace StellaOps.Policy.Engine.Services;
/// Provides deterministic compilation for <c>stella-dsl@1</c> policy documents and exposes
/// basic statistics consumed by API/CLI surfaces.
/// </summary>
internal sealed class PolicyCompilationService
{
private readonly PolicyCompiler compiler;
public PolicyCompilationService(PolicyCompiler compiler)
{
this.compiler = compiler ?? throw new ArgumentNullException(nameof(compiler));
}
internal sealed class PolicyCompilationService
{
private readonly PolicyCompiler compiler;
private readonly PolicyComplexityAnalyzer complexityAnalyzer;
private readonly IOptionsMonitor<PolicyEngineOptions> optionsMonitor;
private readonly TimeProvider timeProvider;
public PolicyCompilationService(
PolicyCompiler compiler,
PolicyComplexityAnalyzer complexityAnalyzer,
IOptionsMonitor<PolicyEngineOptions> optionsMonitor,
TimeProvider timeProvider)
{
this.compiler = compiler ?? throw new ArgumentNullException(nameof(compiler));
this.complexityAnalyzer = complexityAnalyzer ?? throw new ArgumentNullException(nameof(complexityAnalyzer));
this.optionsMonitor = optionsMonitor ?? throw new ArgumentNullException(nameof(optionsMonitor));
this.timeProvider = timeProvider ?? TimeProvider.System;
}
public PolicyCompilationResultDto Compile(PolicyCompileRequest request)
{
@@ -31,51 +44,96 @@ internal sealed class PolicyCompilationService
if (!string.Equals(request.Dsl.Syntax, "stella-dsl@1", StringComparison.Ordinal))
{
return PolicyCompilationResultDto.FromFailure(
ImmutableArray.Create(PolicyIssue.Error(
PolicyDslDiagnosticCodes.UnsupportedSyntaxVersion,
$"Unsupported syntax '{request.Dsl.Syntax ?? "null"}'. Expected 'stella-dsl@1'.",
"dsl.syntax")));
}
return PolicyCompilationResultDto.FromFailure(
ImmutableArray.Create(PolicyIssue.Error(
PolicyDslDiagnosticCodes.UnsupportedSyntaxVersion,
$"Unsupported syntax '{request.Dsl.Syntax ?? "null"}'. Expected 'stella-dsl@1'.",
"dsl.syntax")),
complexity: null,
durationMilliseconds: 0);
}
var result = compiler.Compile(request.Dsl.Source);
if (!result.Success || result.Document is null)
{
return PolicyCompilationResultDto.FromFailure(result.Diagnostics);
}
return PolicyCompilationResultDto.FromSuccess(result);
}
}
var start = timeProvider.GetTimestamp();
var result = compiler.Compile(request.Dsl.Source);
var elapsed = timeProvider.GetElapsedTime(start, timeProvider.GetTimestamp());
var durationMilliseconds = (long)Math.Ceiling(elapsed.TotalMilliseconds);
if (!result.Success || result.Document is null)
{
return PolicyCompilationResultDto.FromFailure(result.Diagnostics, null, durationMilliseconds);
}
var complexity = complexityAnalyzer.Analyze(result.Document);
var diagnostics = result.Diagnostics.IsDefault ? ImmutableArray<PolicyIssue>.Empty : result.Diagnostics;
var limits = optionsMonitor.CurrentValue?.Compilation ?? new PolicyEngineCompilationOptions();
if (limits.EnforceComplexity && complexity.Score > limits.MaxComplexityScore)
{
var diagnostic = PolicyIssue.Error(
PolicyEngineDiagnosticCodes.CompilationComplexityExceeded,
$"Policy complexity score {complexity.Score:F2} exceeds configured maximum {limits.MaxComplexityScore:F2}. Reduce rule count or expression depth.",
"$.rules");
diagnostics = AppendDiagnostic(diagnostics, diagnostic);
return PolicyCompilationResultDto.FromFailure(diagnostics, complexity, durationMilliseconds);
}
if (limits.EnforceDuration && durationMilliseconds > limits.MaxDurationMilliseconds)
{
var diagnostic = PolicyIssue.Error(
PolicyEngineDiagnosticCodes.CompilationComplexityExceeded,
$"Policy compilation time {durationMilliseconds} ms exceeded limit {limits.MaxDurationMilliseconds} ms.",
"$.dsl");
diagnostics = AppendDiagnostic(diagnostics, diagnostic);
return PolicyCompilationResultDto.FromFailure(diagnostics, complexity, durationMilliseconds);
}
return PolicyCompilationResultDto.FromSuccess(result, complexity, durationMilliseconds);
}
private static ImmutableArray<PolicyIssue> AppendDiagnostic(ImmutableArray<PolicyIssue> diagnostics, PolicyIssue diagnostic)
=> diagnostics.IsDefault
? ImmutableArray.Create(diagnostic)
: diagnostics.Add(diagnostic);
}
internal sealed record PolicyCompileRequest(PolicyDslPayload Dsl);
internal sealed record PolicyDslPayload(string Syntax, string Source);
internal sealed record PolicyCompilationResultDto(
bool Success,
string? Digest,
PolicyCompilationStatistics? Statistics,
ImmutableArray<PolicyIssue> Diagnostics)
{
public static PolicyCompilationResultDto FromFailure(ImmutableArray<PolicyIssue> diagnostics) =>
new(false, null, null, diagnostics);
public static PolicyCompilationResultDto FromSuccess(PolicyCompilationResult compilationResult)
{
if (compilationResult.Document is null)
{
throw new ArgumentException("Compilation result must include a document for success.", nameof(compilationResult));
}
var stats = PolicyCompilationStatistics.Create(compilationResult.Document);
return new PolicyCompilationResultDto(
true,
$"sha256:{compilationResult.Checksum}",
stats,
compilationResult.Diagnostics);
}
}
internal sealed record PolicyCompilationResultDto(
bool Success,
string? Digest,
PolicyCompilationStatistics? Statistics,
ImmutableArray<PolicyIssue> Diagnostics,
PolicyComplexityReport? Complexity,
long DurationMilliseconds)
{
public static PolicyCompilationResultDto FromFailure(
ImmutableArray<PolicyIssue> diagnostics,
PolicyComplexityReport? complexity,
long durationMilliseconds) =>
new(false, null, null, diagnostics, complexity, durationMilliseconds);
public static PolicyCompilationResultDto FromSuccess(
PolicyCompilationResult compilationResult,
PolicyComplexityReport complexity,
long durationMilliseconds)
{
if (compilationResult.Document is null)
{
throw new ArgumentException("Compilation result must include a document for success.", nameof(compilationResult));
}
var stats = PolicyCompilationStatistics.Create(compilationResult.Document);
return new PolicyCompilationResultDto(
true,
$"sha256:{compilationResult.Checksum}",
stats,
compilationResult.Diagnostics,
complexity,
durationMilliseconds);
}
}
internal sealed record PolicyCompilationStatistics(
int RuleCount,

6
src/Policy/StellaOps.Policy.Engine/Services/PolicyEngineDiagnosticCodes.cs Normal file
View File

@@ -0,0 +1,6 @@
namespace StellaOps.Policy.Engine.Services;
internal static class PolicyEngineDiagnosticCodes
{
public const string CompilationComplexityExceeded = "ERR_POL_COMPLEXITY";
}