Add inline DSSE provenance documentation and Mongo schema

- Introduced a new document outlining the inline DSSE provenance for SBOM, VEX, scan, and derived events. - Defined the Mongo schema for event patches, including key fields for provenance and trust verification. - Documented the write path for ingesting provenance metadata and backfilling historical events. - Created CI/CD snippets for uploading DSSE attestations and generating provenance metadata. - Established Mongo indexes for efficient provenance queries and provided query recipes for various use cases. - Outlined policy gates for managing VEX decisions based on provenance verification. - Included UI nudges for displaying provenance information and implementation tasks for future enhancements. --- Implement reachability lattice and scoring model - Developed a comprehensive document detailing the reachability lattice and scoring model. - Defined core types for reachability states, evidence, and mitigations with corresponding C# models. - Established a scoring policy with base score contributions from various evidence classes. - Mapped reachability states to VEX gates and provided a clear overview of evidence sources. - Documented the event graph schema for persisting reachability data in MongoDB. - Outlined the integration of runtime probes for evidence collection and defined a roadmap for future tasks. --- Introduce uncertainty states and entropy scoring - Created a draft document for tracking uncertainty states and their impact on risk scoring. - Defined core uncertainty states with associated entropy values and evidence requirements. - Established a schema for storing uncertainty states alongside findings. - Documented the risk score calculation incorporating uncertainty and its effect on final risk assessments. - Provided policy guidelines for handling uncertainty in decision-making processes. - Outlined UI guidelines for displaying uncertainty information and suggested remediation actions. --- Add Ruby package inventory management - Implemented Ruby package inventory management with corresponding data models and storage mechanisms. - Created C# records for Ruby package inventory, artifacts, provenance, and runtime details. - Developed a repository for managing Ruby package inventory documents in MongoDB. - Implemented a service for storing and retrieving Ruby package inventories. - Added unit tests for the Ruby package inventory store to ensure functionality and data integrity.
2025-11-13 00:20:33 +02:00
parent 86be324fc0
commit 7040984215
41 changed files with 1955 additions and 76 deletions
--- a/src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs
+++ b/src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs
@@ -6888,14 +6888,23 @@ internal static class CommandHandlers
            logger.LogInformation("Resolving Ruby packages for scan {ScanId}.", identifier);
            activity?.SetTag("stellaops.cli.scan_id", identifier);

-            var packages = await client.GetRubyPackagesAsync(identifier, cancellationToken).ConfigureAwait(false);
-            var report = RubyResolveReport.Create(identifier, packages);
+            var inventory = await client.GetRubyPackagesAsync(identifier, cancellationToken).ConfigureAwait(false);
+            if (inventory is null)
+            {
+                outcome = "empty";
+                Environment.ExitCode = 0;
+                AnsiConsole.MarkupLine("[yellow]Ruby package inventory is not available for scan {0}.[/]", Markup.Escape(identifier));
+                return;
+            }
+
+            var report = RubyResolveReport.Create(inventory);

            if (!report.HasPackages)
            {
                outcome = "empty";
                Environment.ExitCode = 0;
-                AnsiConsole.MarkupLine("[yellow]No Ruby packages found for scan {0}.[/]", Markup.Escape(identifier));
+                var displayScanId = string.IsNullOrWhiteSpace(report.ScanId) ? identifier : report.ScanId;
+                AnsiConsole.MarkupLine("[yellow]No Ruby packages found for scan {0}.[/]", Markup.Escape(displayScanId));
                return;
            }

@@ -7225,6 +7234,12 @@ internal static class CommandHandlers
        [JsonPropertyName("scanId")]
        public string ScanId { get; }

+        [JsonPropertyName("imageDigest")]
+        public string ImageDigest { get; }
+
+        [JsonPropertyName("generatedAt")]
+        public DateTimeOffset GeneratedAt { get; }
+
        [JsonPropertyName("groups")]
        public IReadOnlyList<RubyResolveGroup> Groups { get; }

@@ -7234,15 +7249,17 @@ internal static class CommandHandlers
        [JsonIgnore]
        public int TotalPackages => Groups.Sum(static group => group.Packages.Count);

-        private RubyResolveReport(string scanId, IReadOnlyList<RubyResolveGroup> groups)
+        private RubyResolveReport(string scanId, string imageDigest, DateTimeOffset generatedAt, IReadOnlyList<RubyResolveGroup> groups)
        {
            ScanId = scanId;
+            ImageDigest = imageDigest;
+            GeneratedAt = generatedAt;
            Groups = groups;
        }

-        public static RubyResolveReport Create(string scanId, IReadOnlyList<RubyPackageArtifactModel>? packages)
+        public static RubyResolveReport Create(RubyPackageInventoryModel inventory)
        {
-            var resolved = (packages ?? Array.Empty<RubyPackageArtifactModel>())
+            var resolved = (inventory.Packages ?? Array.Empty<RubyPackageArtifactModel>())
                .Select(RubyResolvePackage.FromModel)
                .ToArray();

@@ -7272,7 +7289,9 @@ internal static class CommandHandlers
                        .ToArray()))
                .ToArray();

-            return new RubyResolveReport(scanId, grouped);
+            var normalizedScanId = inventory.ScanId ?? string.Empty;
+            var normalizedDigest = inventory.ImageDigest ?? string.Empty;
+            return new RubyResolveReport(normalizedScanId, normalizedDigest, inventory.GeneratedAt, grouped);
        }
    }