Add inline DSSE provenance documentation and Mongo schema

- Introduced a new document outlining the inline DSSE provenance for SBOM, VEX, scan, and derived events.
- Defined the Mongo schema for event patches, including key fields for provenance and trust verification.
- Documented the write path for ingesting provenance metadata and backfilling historical events.
- Created CI/CD snippets for uploading DSSE attestations and generating provenance metadata.
- Established Mongo indexes for efficient provenance queries and provided query recipes for various use cases.
- Outlined policy gates for managing VEX decisions based on provenance verification.
- Included UI nudges for displaying provenance information and implementation tasks for future enhancements.

---

Implement reachability lattice and scoring model

- Developed a comprehensive document detailing the reachability lattice and scoring model.
- Defined core types for reachability states, evidence, and mitigations with corresponding C# models.
- Established a scoring policy with base score contributions from various evidence classes.
- Mapped reachability states to VEX gates and provided a clear overview of evidence sources.
- Documented the event graph schema for persisting reachability data in MongoDB.
- Outlined the integration of runtime probes for evidence collection and defined a roadmap for future tasks.

---

Introduce uncertainty states and entropy scoring

- Created a draft document for tracking uncertainty states and their impact on risk scoring.
- Defined core uncertainty states with associated entropy values and evidence requirements.
- Established a schema for storing uncertainty states alongside findings.
- Documented the risk score calculation incorporating uncertainty and its effect on final risk assessments.
- Provided policy guidelines for handling uncertainty in decision-making processes.
- Outlined UI guidelines for displaying uncertainty information and suggested remediation actions.

---

Add Ruby package inventory management

- Implemented Ruby package inventory management with corresponding data models and storage mechanisms.
- Created C# records for Ruby package inventory, artifacts, provenance, and runtime details.
- Developed a repository for managing Ruby package inventory documents in MongoDB.
- Implemented a service for storing and retrieving Ruby package inventories.
- Added unit tests for the Ruby package inventory store to ensure functionality and data integrity.

src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/RubyPackageInventoryBuilder.cs

@@ -0,0 +1,112 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using StellaOps.Scanner.Analyzers.Lang;
+using StellaOps.Scanner.Core.Contracts;
+
+namespace StellaOps.Scanner.Worker.Processing.Surface;
+
+internal static class RubyPackageInventoryBuilder
+{
+    private const string AnalyzerId = "ruby";
+
+    public static IReadOnlyList<RubyPackageArtifact> Build(LanguageAnalyzerResult result)
+    {
+        ArgumentNullException.ThrowIfNull(result);
+
+        var artifacts = new List<RubyPackageArtifact>();
+        foreach (var component in result.Components)
+        {
+            if (!component.AnalyzerId.Equals(AnalyzerId, StringComparison.OrdinalIgnoreCase))
+            {
+                continue;
+            }
+
+            if (!string.Equals(component.Type, "gem", StringComparison.OrdinalIgnoreCase))
+            {
+                continue;
+            }
+
+            var metadata = component.Metadata ?? new Dictionary<string, string?>(StringComparer.OrdinalIgnoreCase);
+            var metadataCopy = new Dictionary<string, string?>(metadata, StringComparer.OrdinalIgnoreCase);
+
+            var groups = SplitList(metadataCopy, "groups");
+            var entrypoints = SplitList(metadataCopy, "runtime.entrypoints");
+            var runtimeFiles = SplitList(metadataCopy, "runtime.files");
+            var runtimeReasons = SplitList(metadataCopy, "runtime.reasons");
+
+            var declaredOnly = TryParseBool(metadataCopy, "declaredOnly");
+            var runtimeUsed = TryParseBool(metadataCopy, "runtime.used") ?? component.UsedByEntrypoint;
+            var source = GetString(metadataCopy, "source");
+            var platform = GetString(metadataCopy, "platform");
+            var lockfile = GetString(metadataCopy, "lockfile");
+            var artifactLocator = GetString(metadataCopy, "artifact");
+
+            var provenance = (source is not null || lockfile is not null || artifactLocator is not null)
+                ? new RubyPackageProvenance(source, lockfile, artifactLocator ?? lockfile)
+                : null;
+
+            RubyPackageRuntime? runtime = null;
+            if (entrypoints is { Count: > 0 } || runtimeFiles is { Count: > 0 } || runtimeReasons is { Count: > 0 })
+            {
+                runtime = new RubyPackageRuntime(entrypoints, runtimeFiles, runtimeReasons);
+            }
+
+            artifacts.Add(new RubyPackageArtifact(
+                component.ComponentKey,
+                component.Name,
+                component.Version,
+                source,
+                platform,
+                groups,
+                declaredOnly,
+                runtimeUsed,
+                provenance,
+                runtime,
+                metadataCopy));
+        }
+
+        return artifacts;
+    }
+
+    private static IReadOnlyList<string>? SplitList(IReadOnlyDictionary<string, string?> metadata, string key)
+    {
+        if (!metadata.TryGetValue(key, out var raw) || string.IsNullOrWhiteSpace(raw))
+        {
+            return Array.Empty<string>();
+        }
+
+        var values = raw
+            .Split(';', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
+            .Where(static value => !string.IsNullOrWhiteSpace(value))
+            .Distinct(StringComparer.OrdinalIgnoreCase)
+            .ToArray();
+
+        return values.Length == 0 ? Array.Empty<string>() : values;
+    }
+
+    private static bool? TryParseBool(IReadOnlyDictionary<string, string?> metadata, string key)
+    {
+        if (!metadata.TryGetValue(key, out var value) || string.IsNullOrWhiteSpace(value))
+        {
+            return null;
+        }
+
+        if (bool.TryParse(value, out var parsed))
+        {
+            return parsed;
+        }
+
+        return null;
+    }
+
+    private static string? GetString(IReadOnlyDictionary<string, string?> metadata, string key)
+    {
+        if (!metadata.TryGetValue(key, out var value) || string.IsNullOrWhiteSpace(value))
+        {
+            return null;
+        }
+
+        return value.Trim();
+    }
+}

src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/SurfaceManifestStageExecutor.cs

@@ -1,5 +1,6 @@
 using System.Collections.Generic;
 using System.Collections.Immutable;
+using System.Collections.ObjectModel;
 using System.Diagnostics;
 using System.Globalization;
 using System.Reflection;
@@ -7,6 +8,7 @@ using System.Text;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 using Microsoft.Extensions.Logging;
+using StellaOps.Scanner.Analyzers.Lang;
 using StellaOps.Scanner.Core.Contracts;
 using StellaOps.Scanner.EntryTrace;
 using StellaOps.Scanner.EntryTrace.Serialization;
@@ -38,6 +40,7 @@ internal sealed class SurfaceManifestStageExecutor : IScanStageExecutor
     private readonly ScannerWorkerMetrics _metrics;
     private readonly ILogger<SurfaceManifestStageExecutor> _logger;
     private readonly ICryptoHash _hash;
+    private readonly IRubyPackageInventoryStore _rubyPackageStore;
     private readonly string _componentVersion;
 
     public SurfaceManifestStageExecutor(
@@ -46,7 +49,8 @@ internal sealed class SurfaceManifestStageExecutor : IScanStageExecutor
         ISurfaceEnvironment surfaceEnvironment,
         ScannerWorkerMetrics metrics,
         ILogger<SurfaceManifestStageExecutor> logger,
-        ICryptoHash hash)
+        ICryptoHash hash,
+        IRubyPackageInventoryStore rubyPackageStore)
     {
         _publisher = publisher ?? throw new ArgumentNullException(nameof(publisher));
         _surfaceCache = surfaceCache ?? throw new ArgumentNullException(nameof(surfaceCache));
@@ -54,6 +58,7 @@ internal sealed class SurfaceManifestStageExecutor : IScanStageExecutor
         _metrics = metrics ?? throw new ArgumentNullException(nameof(metrics));
         _logger = logger ?? throw new ArgumentNullException(nameof(logger));
         _hash = hash ?? throw new ArgumentNullException(nameof(hash));
+        _rubyPackageStore = rubyPackageStore ?? throw new ArgumentNullException(nameof(rubyPackageStore));
         _componentVersion = Assembly.GetExecutingAssembly().GetName().Version?.ToString() ?? "unknown";
     }
 
@@ -64,6 +69,7 @@ internal sealed class SurfaceManifestStageExecutor : IScanStageExecutor
         ArgumentNullException.ThrowIfNull(context);
 
         var payloads = CollectPayloads(context);
+        await PersistRubyPackagesAsync(context, cancellationToken).ConfigureAwait(false);
         if (payloads.Count == 0)
         {
             _metrics.RecordSurfaceManifestSkipped(context);
@@ -182,6 +188,33 @@ internal sealed class SurfaceManifestStageExecutor : IScanStageExecutor
         return payloads;
     }
 
+    private async Task PersistRubyPackagesAsync(ScanJobContext context, CancellationToken cancellationToken)
+    {
+        if (!context.Analysis.TryGet<ReadOnlyDictionary<string, LanguageAnalyzerResult>>(ScanAnalysisKeys.LanguageAnalyzerResults, out var results))
+        {
+            return;
+        }
+
+        if (!results.TryGetValue("ruby", out var rubyResult) || rubyResult is null)
+        {
+            return;
+        }
+
+        var packages = RubyPackageInventoryBuilder.Build(rubyResult);
+        if (packages.Count == 0)
+        {
+            return;
+        }
+
+        var inventory = new RubyPackageInventory(
+            context.ScanId,
+            ResolveImageDigest(context),
+            context.TimeProvider.GetUtcNow(),
+            packages);
+
+        await _rubyPackageStore.StoreAsync(inventory, cancellationToken).ConfigureAwait(false);
+    }
+
     private async Task PersistPayloadsToSurfaceCacheAsync(
         ScanJobContext context,
         string tenant,

src/Scanner/StellaOps.Scanner.Worker/Program.cs

@@ -1,15 +1,16 @@
 using System.Diagnostics;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
-using Microsoft.Extensions.DependencyInjection.Extensions;
 using StellaOps.Auth.Client;
 using StellaOps.Configuration;
 using StellaOps.Scanner.Cache;
 using StellaOps.Scanner.Analyzers.OS.Plugin;
 using StellaOps.Scanner.Analyzers.Lang.Plugin;
 using StellaOps.Scanner.EntryTrace;
+using StellaOps.Scanner.Core.Contracts;
 using StellaOps.Scanner.Core.Security;
 using StellaOps.Scanner.Surface.Env;
 using StellaOps.Scanner.Surface.FS;
@@ -59,6 +60,10 @@ if (!string.IsNullOrWhiteSpace(connectionString))
     builder.Services.AddSingleton<ISurfaceManifestPublisher, SurfaceManifestPublisher>();
     builder.Services.AddSingleton<IScanStageExecutor, SurfaceManifestStageExecutor>();
 }
+else
+{
+    builder.Services.TryAddSingleton<IRubyPackageInventoryStore, NullRubyPackageInventoryStore>();
+}
 
 builder.Services.TryAddSingleton<IScanJobSource, NullScanJobSource>();
 builder.Services.TryAddSingleton<IPluginCatalogGuard, RestartOnlyPluginGuard>();