stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(concelier): multi-sprint batch (mirror domain + advisory sources + durable runtime + credentials)

Browse Source 
Bundled commit covering pre-session work from multiple Concelier sprints
already archived or in-flight:
- SPRINT_20260419_006: mirror domain / source key validation
- SPRINT_20260419_029 / 030: durable jobs orchestrator runtime + endpoint verification
- SPRINT_20260421_001: advisory source projection truthful counts
- SPRINT_20260421_002: FE advisory source consistency (connector-side bits)
- SPRINT_20260421_003: advisory connector runtime alignment
- SPRINT_20260422_003: source credential entry paths (in-flight)

Includes connector internals (ACSC / Adobe / CERT-BUND / Chromium / Cisco /
CVE-KEV / GHSA / JVN / KISA / MSRC / Oracle / Ubuntu), source management
endpoints, mirror domain management, federation endpoints, topology setup,
job registration, and associated dossier updates under
docs/modules/concelier/.

This commit groups ~229 file changes that accumulated across the above
sprints; individual changes are preserved at file granularity so blame
remains useful.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-04-22 16:05:53 +03:00
parent 99a5ae923a
commit 607ce619fe
247 changed files with 15404 additions and 1304 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
docs/modules/concelier/operations/source-credentials.md Normal file
View File

@@ -0,0 +1,135 @@
# Advisory Source Credential Entry
_Last updated: 2026-04-22_
## 1. Purpose
Stella Ops now supports operator-supplied advisory source settings through the product surfaces that operators already use:
- Web UI source management
- `stella db connectors configure ...` in the CLI
Environment variables and host-local `concelier.yaml` values remain compatibility fallbacks for older deployments, but the primary operator path for supported advisory sources is now persisted source configuration owned by Concelier itself.
## 2. Operator entry paths
### Web UI
Use either of these routes:
- **Security Posture -> Configure Sources**
- **Ops -> Operations -> Feeds & Airgap -> Configure Sources**
Then:
1. Expand the source card.
2. Open **Stored Connector Configuration**.
3. Enter or update the source fields.
4. Save the configuration.
Sensitive fields never round-trip back to the browser. A stored secret is shown only as retained state. Leaving a password field blank keeps the retained secret. Explicitly checking the clear control removes the stored secret.
### CLI
Inspect current persisted source configuration:
```bash
stella db connectors configure ghsa --server https://concelier.example.internal
stella db connectors configure cisco --server https://concelier.example.internal
```
Update a source:
```bash
stella db connectors configure ghsa \
--server https://concelier.example.internal \
--set apiToken=github_pat_xxx
stella db connectors configure cisco \
--server https://concelier.example.internal \
--set clientId=... \
--set clientSecret=...
stella db connectors configure microsoft \
--server https://concelier.example.internal \
--set tenantId=... \
--set clientId=... \
--set clientSecret=...
stella db connectors configure oracle \
--server https://concelier.example.internal \
--set calendarUris=https://www.oracle.com/security-alerts/,https://mirror.example.internal/oracle/
stella db connectors configure adobe \
--server https://concelier.example.internal \
--set indexUri=https://mirror.example.internal/adobe/security-bulletin.html \
--set additionalIndexUris=https://mirror.example.internal/adobe/archive-1.html;https://mirror.example.internal/adobe/archive-2.html
stella db connectors configure chromium \
--server https://concelier.example.internal \
--set feedUri=https://mirror.example.internal/chromium/atom.xml
```
Clear stored fields:
```bash
stella db connectors configure ghsa \
--server https://concelier.example.internal \
--clear apiToken
```
Notes:
- `--set` accepts `key=value`.
- Multi-value URI fields such as `calendarUris`, `advisoryUris`, and `additionalIndexUris` accept comma-, semicolon-, or newline-separated absolute URIs.
- The current CLI path places literal values on the command line. If shell-history exposure is unacceptable for a secret, prefer the Web UI path or use an operator-approved secure shell/history procedure.
## 3. Credential acquisition matrix
| Source | Where to sign in or look | What to create or capture | Can the config be skipped? | Entitlement / paywall notes |
| --- | --- | --- | --- | --- |
| `ghsa` | `https://github.com/settings/personal-access-tokens` or a GitHub App owned by your org | `apiToken` | Not for the current StellaOps GHSA connector path. The upstream API can expose public reviewed advisories anonymously, but the current StellaOps connector still expects a token. | No separate GHSA paywall. GitHub org PAT policy or SAML SSO may require approval or token authorization. |
| `cisco` | `https://apiconsole.cisco.com` -> **My Apps & Keys** | `clientId`, `clientSecret` for a Service / Client Credentials app bound to Cisco PSIRT openVuln API | Not for the authenticated Concelier Cisco advisory connector. | No separate StellaOps-side fee, but a Cisco.com account, terms acceptance, and visible openVuln entitlement are required. This is separate from the public Cisco CSAF VEX bootstrap, which stays credential-free. |
| `microsoft` | `https://entra.microsoft.com` -> **App registrations** | `tenantId`, `clientId`, `clientSecret` for a confidential client allowed to use MSRC client credentials | Not for the MSRC advisory connector. | No separate documented MSRC paywall, but you need a Microsoft Entra tenant plus permission to register the app and grant the required consent. |
| `oracle` | Public Oracle security pages | Usually nothing. Optionally capture mirrored `calendarUris` or pinned `advisoryUris`. | Yes, if the default Oracle security alerts landing page is acceptable. Configure it only when pinning or mirroring. | Public, no login or paywall required for the default path. |
| `adobe` | Public Adobe bulletin index | Usually nothing. Optionally capture a mirrored `indexUri` and `additionalIndexUris`. | Yes, for the default public Adobe index. Configure it only when overriding or mirroring the public endpoints. | Public, no login or paywall required for the default path. |
| `chromium` | Public Chrome Releases Atom feed | Usually nothing. Optionally capture a mirrored `feedUri`. | Yes, for the default public Chromium feed. Configure it only when overriding or mirroring the public endpoint. | Public, no login or paywall required for the default path. |
## 4. What operators should actually look for
### GHSA
- Personal access token page or org-owned GitHub App credentials
- If the organization enforces SAML SSO or PAT approval, make sure the token is authorized for the target org after creation
- The StellaOps field name is `apiToken`
### Cisco
- Cisco API Console entry for **Cisco PSIRT openVuln API**
- Application type: `Service`
- Grant type: `Client Credentials`
- Capture the generated `clientId` and `clientSecret`
### Microsoft / MSRC
- Microsoft Entra **Application (client) ID**
- Microsoft Entra **Directory (tenant) ID**
- A newly created **Client secret** value
- Confirm admin consent and the app permissions expected by your MSRC onboarding process before storing the values in StellaOps
### Oracle / Adobe / Chromium
- No credential creation is required
- Only collect alternate URIs if you are pointing Concelier at an approved internal mirror or pinning a specific public advisory page
## 5. References
- GitHub PAT management: <https://docs.github.com/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token>
- GitHub global security advisories REST API: <https://docs.github.com/en/enterprise-cloud@latest/rest/security-advisories/global-advisories>
- GitHub SSO authorization for PATs: <https://docs.github.com/articles/authorizing-a-personal-access-token-for-use-with-a-saml-single-sign-on-organization>
- Cisco PSIRT openVuln authentication: <https://developer.cisco.com/docs/psirt/authentication/>
- Microsoft Entra app registration quickstart: <https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app>
- Microsoft Entra application credentials: <https://learn.microsoft.com/en-us/entra/identity-platform/how-to-add-credentials>
- Adobe bulletin index: <https://helpx.adobe.com/security/security-bulletin.html>
- Oracle security alerts: <https://www.oracle.com/security-alerts/>
- Chrome Releases Atom feed: <https://chromereleases.googleblog.com/atom.xml>