stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.
This commit is contained in:
master
2025-11-08 20:53:45 +02:00
parent 515975edc5
commit 536f6249a6
837 changed files with 37279 additions and 14675 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/Web/StellaOps.Web/TASKS.md
View File

@@ -68,7 +68,13 @@
| ID | Status | Owner(s) | Depends on | Notes |
|----|--------|----------|------------|-------|
| WEB-CONSOLE-23-001 `Global posture endpoints` | TODO | BE-Base Platform Guild, Product Analytics Guild | CONCELIER-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001, POLICY-CONSOLE-23-001, SBOM-CONSOLE-23-001, SCHED-CONSOLE-23-001 | Provide consolidated `/console/dashboard` and `/console/filters` APIs returning tenant-scoped aggregates (findings by severity, VEX override counts, advisory deltas, run health, policy change log). Enforce AOC labelling, deterministic ordering, and cursor-based pagination for drill-down hints. |
| WEB-CONSOLE-23-001 `Global posture endpoints` | TODO | BE-Base Platform Guild, Product Analytics Guild | CONCELIER-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001, POLICY-CONSOLE-23-001, SBOM-CONSOLE-23-001, SCHED-CONSOLE-23-001 | Provide consolidated `/console/dashboard` and `/console/filters` APIs returning tenant-scoped aggregates (findings by severity, VEX override counts, advisory deltas, run health, policy change log). Enforce AOC labelling, deterministic ordering, and cursor-based pagination for drill-down hints. |
| CONSOLE-VULN-29-001 `Vulnerability workspace` | DOING (2025-11-08) | Console Guild, BE-Base Platform Guild | WEB-CONSOLE-23-001, CONCELIER-GRAPH-21-001 | Build `/console/vuln/*` endpoints and filters surfacing tenant-scoped findings with policy/VEX badges, deterministic pagination, and a11y-friendly metadata so Docs can capture UI workflows. |
> 2025-11-08: Engaging filter/badge implementation plus `/console/vuln/search` DTOs now that Signals + Scheduler prerequisites exist; deliver payloads for DOCS-AIAI-31-004 screenshots.
> 2025-11-08: Drafted HTTP contract + samples in `docs/api/console/workspaces.md` so Docs/UI can exercise `GET /console/vuln/findings` before backend lands.
| CONSOLE-VEX-30-001 `VEX evidence workspace` | DOING (2025-11-08) | Console Guild, BE-Base Platform Guild | WEB-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001 | Provide `/console/vex/*` APIs streaming VEX statements, justification summaries, and advisory links with filter/sort options plus SSE hooks for background refresh. |
> 2025-11-08: Spiking SSE controller + `/console/vex/events` feed to keep Advisory AI console doc work unblocked and coordinate with Scheduler Signals dependencies.
> 2025-11-08: SSE contract + sample NDJSON (`docs/api/console/samples/vex-statement-sse.ndjson`) published; awaiting backend scaffolding to hook Scheduler streams.
| WEB-CONSOLE-23-002 `Live status & SSE proxy` | TODO | BE-Base Platform Guild, Scheduler Guild | SCHED-CONSOLE-23-001, DEVOPS-CONSOLE-23-001 | Expose `/console/status` polling endpoint and `/console/runs/{id}/stream` SSE/WebSocket proxy with heartbeat/backoff, queue lag metrics, and auth scope enforcement. Surface request IDs + retry headers. |
| WEB-CONSOLE-23-003 `Evidence export orchestrator` | TODO | BE-Base Platform Guild, Policy Guild | EXPORT-CONSOLE-23-001, POLICY-CONSOLE-23-001 | Add `/console/exports` POST/GET routes coordinating evidence bundle creation, streaming CSV/JSON exports, checksum manifest retrieval, and signed attestation references. Ensure requests honor tenant + policy scopes and expose job tracking metadata. |
| WEB-CONSOLE-23-004 `Global search router` | TODO | BE-Base Platform Guild | CONCELIER-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001, SBOM-CONSOLE-23-001 | Implement `/console/search` endpoint accepting CVE/GHSA/PURL/SBOM identifiers, performing fan-out queries with caching, ranking, and deterministic tie-breaking. Return typed results for Console navigation; respect result caps and latency SLOs. |