feat(concelier): multi-sprint batch (mirror domain + advisory sources + durable runtime + credentials)
Bundled commit covering pre-session work from multiple Concelier sprints already archived or in-flight: - SPRINT_20260419_006: mirror domain / source key validation - SPRINT_20260419_029 / 030: durable jobs orchestrator runtime + endpoint verification - SPRINT_20260421_001: advisory source projection truthful counts - SPRINT_20260421_002: FE advisory source consistency (connector-side bits) - SPRINT_20260421_003: advisory connector runtime alignment - SPRINT_20260422_003: source credential entry paths (in-flight) Includes connector internals (ACSC / Adobe / CERT-BUND / Chromium / Cisco / CVE-KEV / GHSA / JVN / KISA / MSRC / Oracle / Ubuntu), source management endpoints, mirror domain management, federation endpoints, topology setup, job registration, and associated dossier updates under docs/modules/concelier/. This commit groups ~229 file changes that accumulated across the above sprints; individual changes are preserved at file granularity so blame remains useful. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
@@ -2,7 +2,18 @@
|
||||
|
||||
This index lists Concelier connectors, their status, authentication expectations, and links to operational runbooks. For procedures and alerting, see `docs/modules/concelier/operations/connectors/`.
|
||||
|
||||
The catalog currently contains **75 source definitions** across **14 categories**. The authoritative source list is defined in `src/Concelier/__Libraries/StellaOps.Concelier.Core/Sources/SourceDefinitions.cs`.
|
||||
Operator configuration note:
|
||||
|
||||
- Supported advisory source credentials and endpoint overrides can now be supplied through the Web UI or `stella db connectors configure ...`.
|
||||
- GHSA, Cisco, and Microsoft use operator-supplied credentials through that path.
|
||||
- Oracle, Adobe, and Chromium use public defaults and only need UI or CLI input when you override or mirror the upstream endpoints.
|
||||
- See [source-credentials.md](docs/modules/concelier/operations/source-credentials.md).
|
||||
|
||||
The catalog currently contains **78 source definitions** across **14 categories**. The authoritative source list is defined in `src/Concelier/__Libraries/StellaOps.Concelier.Core/Sources/SourceDefinitions.cs`.
|
||||
|
||||
Canonical runtime note: the operator-facing source IDs in this index are the only scheduler/catalog IDs that should be used for Concelier jobs and setup. Legacy connector aliases such as `ics-cisa`, `ics-kaspersky`, `ru-bdu`, `ru-nkcki`, `vndr-adobe`, `vndr-apple`, `vndr-chromium`, `vndr-cisco`, `vndr-oracle`, and `vndr.msrc` remain compatibility-only aliases inside normalization paths and must not appear as primary runtime job keys.
|
||||
|
||||
Runtime note: the Concelier advisory catalog and the Excititor default VEX mirror bootstrap share some upstream vendors but are not the same pipeline. The default public VEX bootstrap currently seeds only `redhat`, `ubuntu`, `oracle`, and `cisco`, uses their public CSAF/notice endpoints, and staggers initial runs (`5m`, `7m`, `9m`, `11m`) to avoid burst-fetching multiple upstreams at the same instant.
|
||||
|
||||
---
|
||||
|
||||
@@ -12,7 +23,7 @@ The catalog currently contains **75 source definitions** across **14 categories*
|
||||
| --- | --- | --- |
|
||||
| Primary | Core vulnerability databases (NVD, OSV, GHSA, CVE) | 4 |
|
||||
| Threat | Threat intelligence, exploit prediction, and known-exploited (EPSS, KEV, MITRE ATT&CK, D3FEND) | 4 |
|
||||
| Vendor | Vendor PSIRTs and cloud provider security bulletins | 14 |
|
||||
| Vendor | Vendor PSIRTs and cloud provider security bulletins | 16 |
|
||||
| Distribution | Linux distribution security trackers | 10 |
|
||||
| Ecosystem | Language-ecosystem advisory feeds via OSV/GHSA | 9 |
|
||||
| PackageManager | Native package manager advisory databases (cargo-audit, pip-audit, govulncheck, bundler-audit) | 4 |
|
||||
@@ -21,7 +32,7 @@ The catalog currently contains **75 source definitions** across **14 categories*
|
||||
| Container | Container image advisory sources | 2 |
|
||||
| Hardware | Hardware and firmware PSIRT advisories | 3 |
|
||||
| Ics | Industrial control systems and SCADA advisories | 2 |
|
||||
| Cert | National CERTs and government CSIRTs | 13 |
|
||||
| Cert | National CERTs and government CSIRTs | 15 |
|
||||
| Mirror | StellaOps pre-aggregated mirrors | 1 |
|
||||
| Other | Uncategorized sources | 0 |
|
||||
|
||||
@@ -52,11 +63,13 @@ MITRE ATT&CK provides adversary tactics and techniques in STIX format from the `
|
||||
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
|
||||
| --- | --- | --- | --- | --- | --- |
|
||||
| Red Hat Security | `redhat` | stable | none | 30 | [redhat.md](docs/modules/concelier/operations/connectors/redhat.md) |
|
||||
| Microsoft Security (MSRC) | `microsoft` | stable | none | 35 | [msrc.md](docs/modules/concelier/operations/connectors/msrc.md) |
|
||||
| Microsoft Security (MSRC) | `microsoft` | stable | oauth | 35 | [msrc.md](docs/modules/concelier/operations/connectors/msrc.md) |
|
||||
| Amazon Linux Security | `amazon` | stable | none | 40 | -- |
|
||||
| Google Security | `google` | stable | none | 45 | -- |
|
||||
| Oracle Security | `oracle` | stable | none | 50 | [oracle.md](docs/modules/concelier/operations/connectors/oracle.md) |
|
||||
| Adobe Security | `adobe` | stable | none | 52 | [adobe.md](docs/modules/concelier/operations/connectors/adobe.md) |
|
||||
| Apple Security | `apple` | stable | none | 55 | [apple.md](docs/modules/concelier/operations/connectors/apple.md) |
|
||||
| Chromium Stable Channel Updates | `chromium` | stable | none | 57 | [chromium.md](docs/modules/concelier/operations/connectors/chromium.md) |
|
||||
| Cisco Security | `cisco` | stable | oauth | 60 | [cisco.md](docs/modules/concelier/operations/connectors/cisco.md) |
|
||||
| Fortinet PSIRT | `fortinet` | stable | none | 65 | -- |
|
||||
| Juniper Security | `juniper` | stable | none | 70 | -- |
|
||||
@@ -68,6 +81,11 @@ MITRE ATT&CK provides adversary tactics and techniques in STIX format from the `
|
||||
|
||||
AWS, Azure, and GCP cloud provider advisories were added in Sprint 007. They track platform-level security bulletins for cloud infrastructure components and are categorized under `Vendor` alongside traditional PSIRTs.
|
||||
|
||||
Mirror bootstrap note:
|
||||
- `oracle` default VEX bootstrap discovery uses Oracle's public security RSS feed and derived `*csaf.json` documents.
|
||||
- `cisco` default VEX bootstrap uses Cisco's public CSAF provider metadata and does not require the OAuth credentials used by the Concelier openVuln connector.
|
||||
- If Cisco's public paged catalog is unavailable, the bootstrap falls back to `changes.csv` and then `index.txt`, prefers newer candidates first, and checkpoints seen or permanently inaccessible legacy paths so hourly runs do not re-download or stall on the full historical corpus.
|
||||
|
||||
## Linux Distributions
|
||||
|
||||
| Connector | Source ID | Status | Auth | Priority | Regions | Ops Runbook |
|
||||
@@ -83,6 +101,9 @@ AWS, Azure, and GCP cloud provider advisories were added in Sprint 007. They tra
|
||||
| Gentoo Security | `gentoo` | stable | none | 46 | -- | -- |
|
||||
| Astra Linux Security | `astra` | stable | none | 48 | RU, CIS | [astra.md](docs/modules/concelier/operations/connectors/astra.md) |
|
||||
|
||||
Mirror bootstrap note:
|
||||
- `ubuntu` default VEX bootstrap reads `https://ubuntu.com/security/notices.json` and synthesizes deterministic CSAF documents from the per-notice JSON payloads because Canonical's public path is notice JSON rather than native CSAF.
|
||||
|
||||
## Language Ecosystems
|
||||
|
||||
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
|
||||
@@ -166,15 +187,17 @@ Industrial control systems advisories cover SCADA and operational technology vul
|
||||
| CERT.be (Belgium) | `cert-be` | stable | none | 86 | BE, EU | -- |
|
||||
| NCSC-CH (Switzerland) | `cert-ch` | stable | none | 88 | CH | -- |
|
||||
| CERT-EU | `cert-eu` | stable | none | 90 | EU | -- |
|
||||
| CCCS (Canada) | `cccs` | stable | none | 91 | CA, NA | [cccs.md](docs/modules/concelier/operations/connectors/cccs.md) |
|
||||
| JPCERT/CC (Japan) | `jpcert` | stable | none | 92 | JP, APAC | [jvn.md](docs/modules/concelier/operations/connectors/jvn.md) |
|
||||
| CISA (US-CERT) | `us-cert` | stable | none | 94 | US, NA | [cert-cc.md](docs/modules/concelier/operations/connectors/cert-cc.md) |
|
||||
| CERT/CC | `cert-cc` | stable | none | 93 | US, NA | [cert-cc.md](docs/modules/concelier/operations/connectors/cert-cc.md) |
|
||||
| CISA (US-CERT) | `us-cert` | stable | none | 94 | US, NA | [ics-cisa.md](docs/modules/concelier/operations/connectors/ics-cisa.md) |
|
||||
| CERT-UA (Ukraine) | `cert-ua` | stable | none | 95 | UA | -- |
|
||||
| CERT.PL (Poland) | `cert-pl` | stable | none | 96 | PL, EU | -- |
|
||||
| AusCERT (Australia) | `auscert` | stable | none | 97 | AU, APAC | -- |
|
||||
| KrCERT/CC (South Korea) | `krcert` | stable | none | 98 | KR, APAC | -- |
|
||||
| KrCERT/CC (South Korea) | `krcert` | stable | none | 98 | KR, APAC | [kisa.md](docs/modules/concelier/operations/connectors/kisa.md) |
|
||||
| CERT-In (India) | `cert-in` | stable | none | 99 | IN, APAC | [cert-in.md](docs/modules/concelier/operations/connectors/cert-in.md) |
|
||||
|
||||
Five additional CERTs were added in Sprint 007: CERT-UA, CERT.PL, AusCERT, KrCERT/CC, and CERT-In, extending coverage to Eastern Europe, Oceania, and South/East Asia.
|
||||
Seven additional CERTs beyond the original European/Japanese set are now defined in the catalog: CCCS (Canada), CERT/CC, CERT-UA, CERT.PL, AusCERT, KrCERT/CC, and CERT-In, extending coverage to North America, Eastern Europe, Oceania, and South/East Asia.
|
||||
|
||||
## Russian/CIS Sources
|
||||
|
||||
|
||||
Reference in New Issue
Block a user