up

src/StellaOps.Feedser.Source.Vndr.Cisco/TASKS.md

@@ -1,10 +1,11 @@
 # TASKS
 | Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
-|FEEDCONN-CISCO-02-001 Confirm Cisco PSIRT data source|BE-Conn-Cisco|Research|**DOING** – 2025-10-11: Logged public PSIRT RSS and openVuln Security Advisories API docs; need to confirm API key workflow, pagination, throttling, and select primary ingestion path.|
-|FEEDCONN-CISCO-02-002 Fetch pipeline & state persistence|BE-Conn-Cisco|Source.Common, Storage.Mongo|**TODO** – Implement fetch job with cursor/backoff, persist raw documents, dedupe repeated advisories.|
-|FEEDCONN-CISCO-02-003 Parser & DTO implementation|BE-Conn-Cisco|Source.Common|**TODO** – Parse advisories, extract Cisco bug IDs, product families, version ranges, CVEs, references.|
-|FEEDCONN-CISCO-02-004 Canonical mapping & range primitives|BE-Conn-Cisco|Models|**TODO** – Map advisories into canonical records with aliases, references, range primitives (SemVer/IOS/ASA versions). Sync scheme decisions and deadlines via `../StellaOps.Feedser.Merge/RANGE_PRIMITIVES_COORDINATION.md`.|
+|FEEDCONN-CISCO-02-001 Confirm Cisco PSIRT data source|BE-Conn-Cisco|Research|**DONE (2025-10-11)** – Selected openVuln REST API (`https://apix.cisco.com/security/advisories/v2/…`) as primary (structured JSON, CSAF/CVRF links) with RSS as fallback. Documented OAuth2 client-credentials flow (`cloudsso.cisco.com/as/token.oauth2`), baseline quotas (5 req/s, 30 req/min, 5 000 req/day), and pagination contract (`pageIndex`, `pageSize≤100`) in `docs/feedser-connector-research-20251011.md`.|
+|FEEDCONN-CISCO-02-002 Fetch pipeline & state persistence|BE-Conn-Cisco|Source.Common, Storage.Mongo|**TODO** – Implement fetch job using shared OAuth token cache, honor `Retry-After` on 429, and persist raw advisory payloads + CSAF links. Cursor strategy: `lastUpdated` + advisory ID, with incremental filters (`/lastmodified/{YYYY-MM-DD}` or `/year/{YYYY}` + paging).|
+|FEEDCONN-CISCO-02-003 Parser & DTO implementation|BE-Conn-Cisco|Source.Common|**TODO** – Map openVuln JSON fields (`advisoryId`, `advisoryTitle`, `cves`, `bugIDs`, `sir`, `productNames`, `version`, `cvssBaseScore`, `publicationUrl`, `cvrfUrl`, `csafUrl`). Normalize severity (SIR→Feedser severity), expand product list into affected packages, ingest CSAF where present to derive range primitives.|
+|FEEDCONN-CISCO-02-004 Canonical mapping & range primitives|BE-Conn-Cisco|Models|**TODO** – Map advisories into canonical records with aliases, references, range primitives (SemVer/IOS/ASA versions). Sync scheme decisions and deadlines via `../StellaOps.Feedser.Merge/RANGE_PRIMITIVES_COORDINATION.md`.<br>2025-10-11 research trail: baseline array `[{"scheme":"semver","type":"range","min":"<min>","minInclusive":true,"max":"<max>","maxInclusive":false,"notes":"cisco:psirt:advisory-id"}]`; if IOS-specific comparer is required, capture sample payload and raise Models issue before introducing a new `scheme`.|
 |FEEDCONN-CISCO-02-005 Deterministic fixtures & tests|QA|Testing|**TODO** – Add fetch/parse/map regression tests; support `UPDATE_CISCO_FIXTURES=1`.|
 |FEEDCONN-CISCO-02-006 Telemetry & documentation|DevEx|Docs|**TODO** – Add logging/metrics, document connector usage, update backlog when ready.|
-|FEEDCONN-CISCO-02-007 API selection decision memo|BE-Conn-Cisco|Research|**TODO** – Produce recommendation on RSS vs openVuln (scope, auth, SLAs) and share with Merge/Storage for cursor alignment.|
+|FEEDCONN-CISCO-02-007 API selection decision memo|BE-Conn-Cisco|Research|**DONE (2025-10-11)** – Drafted decision matrix: openVuln (structured/delta filters, OAuth throttle) vs RSS (delayed/minimal metadata). Pending OAuth onboarding (`FEEDCONN-CISCO-02-008`) before final recommendation circulated.|
+|FEEDCONN-CISCO-02-008 OAuth client provisioning|Ops, BE-Conn-Cisco|Ops|**TODO** – Register openVuln application, capture client credential rotation steps, throttle limits, and Offline Kit secret distribution guidance.|