stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

tests fixes and sprints work

Browse Source
This commit is contained in:
master
2026-01-22 19:08:46 +02:00
parent c32fff8f86
commit 726d70dc7f
881 changed files with 134434 additions and 6228 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Migrations/002_add_enriched_sbom_store.sql Normal file
View File

@@ -0,0 +1,41 @@
-- Migration: 002_add_enriched_sbom_store
-- Category: startup
-- Description: Store parsed SBOM documents for downstream queries.
CREATE TABLE IF NOT EXISTS concelier.sbom_documents (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
serial_number TEXT NOT NULL,
artifact_digest TEXT,
format TEXT NOT NULL CHECK (format IN ('cyclonedx', 'spdx')),
spec_version TEXT NOT NULL,
component_count INT NOT NULL DEFAULT 0,
service_count INT NOT NULL DEFAULT 0,
vulnerability_count INT NOT NULL DEFAULT 0,
has_crypto BOOLEAN NOT NULL DEFAULT FALSE,
has_services BOOLEAN NOT NULL DEFAULT FALSE,
has_vulnerabilities BOOLEAN NOT NULL DEFAULT FALSE,
sbom_json JSONB NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
CONSTRAINT uq_concelier_sbom_serial UNIQUE (serial_number),
CONSTRAINT uq_concelier_sbom_artifact UNIQUE (artifact_digest)
);
CREATE INDEX IF NOT EXISTS idx_concelier_sbom_artifact_digest
ON concelier.sbom_documents(artifact_digest)
WHERE artifact_digest IS NOT NULL;
CREATE INDEX IF NOT EXISTS idx_concelier_sbom_has_crypto
ON concelier.sbom_documents(has_crypto)
WHERE has_crypto = TRUE;
CREATE INDEX IF NOT EXISTS idx_concelier_sbom_has_services
ON concelier.sbom_documents(has_services)
WHERE has_services = TRUE;
CREATE INDEX IF NOT EXISTS idx_concelier_sbom_has_vulns
ON concelier.sbom_documents(has_vulnerabilities)
WHERE has_vulnerabilities = TRUE;
CREATE INDEX IF NOT EXISTS idx_concelier_sbom_updated
ON concelier.sbom_documents(updated_at DESC);

9
src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Migrations/003_add_sbom_license_index.sql Normal file
View File

@@ -0,0 +1,9 @@
-- Concelier: Add SBOM license index helpers
-- Adds license IDs/expressions for fast license queries.
ALTER TABLE concelier.sbom_documents
ADD COLUMN IF NOT EXISTS license_ids TEXT[] NOT NULL DEFAULT '{}',
ADD COLUMN IF NOT EXISTS license_expressions TEXT[] NOT NULL DEFAULT '{}';
CREATE INDEX IF NOT EXISTS idx_sbom_documents_license_ids
ON concelier.sbom_documents USING GIN (license_ids);

1078
src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/SbomRepository.cs Normal file
View File

File diff suppressed because it is too large Load Diff

3
src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/ServiceCollectionExtensions.cs
View File

@@ -1,6 +1,7 @@
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using StellaOps.Concelier.Persistence.Postgres.Repositories;
using StellaOps.Concelier.SbomIntegration;
using StellaOps.Concelier.Persistence.Postgres.Advisories;
using StellaOps.Infrastructure.Postgres;
using StellaOps.Infrastructure.Postgres.Options;
@@ -57,6 +58,7 @@ public static class ServiceCollectionExtensions
services.AddScoped<IAdvisoryLinksetLookup>(sp => sp.GetRequiredService<IAdvisoryLinksetStore>());
services.AddScoped<StorageContracts.IDocumentStore, PostgresDocumentStore>();
services.AddScoped<StorageContracts.IDtoStore, PostgresDtoStore>();
services.AddScoped<ISbomRepository, SbomRepository>();
services.AddScoped<ExportingContracts.IExportStateStore, PostgresExportStateStore>();
services.AddScoped<PsirtContracts.IPsirtFlagStore, PostgresPsirtFlagStore>();
services.AddScoped<JpFlagsContracts.IJpFlagStore, PostgresJpFlagStore>();
@@ -104,6 +106,7 @@ public static class ServiceCollectionExtensions
services.AddScoped<IAdvisoryLinksetLookup>(sp => sp.GetRequiredService<IAdvisoryLinksetStore>());
services.AddScoped<StorageContracts.IDocumentStore, PostgresDocumentStore>();
services.AddScoped<StorageContracts.IDtoStore, PostgresDtoStore>();
services.AddScoped<ISbomRepository, SbomRepository>();
services.AddScoped<ExportingContracts.IExportStateStore, PostgresExportStateStore>();
services.AddScoped<PsirtContracts.IPsirtFlagStore, PostgresPsirtFlagStore>();
services.AddScoped<JpFlagsContracts.IJpFlagStore, PostgresJpFlagStore>();

2
src/Concelier/__Libraries/StellaOps.Concelier.Persistence/TASKS.md
View File

@@ -9,3 +9,5 @@ Source of truth: `docs-archived/implplan/2025-12-29-csproj-audit/SPRINT_20251229
| AUDIT-0230-T | DONE | Revalidated 2026-01-07. |
| AUDIT-0230-A | TODO | Revalidated 2026-01-07 (open findings). |
| CICD-VAL-SMOKE-001 | DONE | Smoke validation: restore reference summaries from raw payload. |
| TASK-015-011 | DONE | Added enriched SBOM storage table + Postgres repository. |
| TASK-015-007d | DONE | Added license indexes and repository queries for license inventory. |

106
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/ISbomRepository.cs Normal file
View File

@@ -0,0 +1,106 @@
// -----------------------------------------------------------------------------
// ISbomRepository.cs
// Sprint: SPRINT_20260119_015_Concelier_sbom_full_extraction
// Task: TASK-015-011 - Enriched SBOM repository interface
// Description: Storage contract for ParsedSbom persistence and lookup
// -----------------------------------------------------------------------------
using System.Collections.Immutable;
using StellaOps.Concelier.SbomIntegration.Models;
namespace StellaOps.Concelier.SbomIntegration;
/// <summary>
/// Repository for storing and querying enriched ParsedSbom data.
/// </summary>
public interface ISbomRepository
{
/// <summary>
/// Gets a parsed SBOM by its serial number.
/// </summary>
Task<ParsedSbom?> GetBySerialNumberAsync(
string serialNumber,
CancellationToken ct = default);
/// <summary>
/// Gets a parsed SBOM by the artifact digest.
/// </summary>
Task<ParsedSbom?> GetByArtifactDigestAsync(
string digest,
CancellationToken ct = default);
/// <summary>
/// Stores or updates a parsed SBOM.
/// </summary>
Task StoreAsync(ParsedSbom sbom, CancellationToken ct = default);
/// <summary>
/// Gets services extracted for an artifact.
/// </summary>
Task<IReadOnlyList<ParsedService>> GetServicesForArtifactAsync(
string artifactId,
CancellationToken ct = default);
/// <summary>
/// Gets components that include crypto properties for an artifact.
/// </summary>
Task<IReadOnlyList<ParsedComponent>> GetComponentsWithCryptoAsync(
string artifactId,
CancellationToken ct = default);
/// <summary>
/// Gets embedded vulnerabilities for an artifact.
/// </summary>
Task<IReadOnlyList<ParsedVulnerability>> GetEmbeddedVulnerabilitiesAsync(
string artifactId,
CancellationToken ct = default);
/// <summary>
/// Gets all licenses referenced by an artifact.
/// </summary>
Task<IReadOnlyList<ParsedLicense>> GetLicensesForArtifactAsync(
string artifactId,
CancellationToken ct = default);
/// <summary>
/// Gets components that reference the given SPDX license ID.
/// </summary>
Task<IReadOnlyList<ParsedComponent>> GetComponentsByLicenseAsync(
string spdxId,
CancellationToken ct = default);
/// <summary>
/// Gets components without declared license data for an artifact.
/// </summary>
Task<IReadOnlyList<ParsedComponent>> GetComponentsWithoutLicenseAsync(
string artifactId,
CancellationToken ct = default);
/// <summary>
/// Gets components by license category for an artifact.
/// </summary>
Task<IReadOnlyList<ParsedComponent>> GetComponentsByLicenseCategoryAsync(
string artifactId,
LicenseCategory category,
CancellationToken ct = default);
/// <summary>
/// Returns license inventory summary information for an artifact.
/// </summary>
Task<LicenseInventorySummary> GetLicenseInventoryAsync(
string artifactId,
CancellationToken ct = default);
}
/// <summary>
/// License inventory summary for an artifact.
/// </summary>
public sealed record LicenseInventorySummary
{
public int TotalComponents { get; init; }
public int ComponentsWithLicense { get; init; }
public int ComponentsWithoutLicense { get; init; }
public ImmutableDictionary<string, int> LicenseDistribution { get; init; } =
ImmutableDictionary<string, int>.Empty;
public ImmutableArray<string> UniqueLicenses { get; init; } = [];
public ImmutableArray<string> Expressions { get; init; } = [];
}

26
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Licensing/ILicenseExpressionValidator.cs Normal file
View File

@@ -0,0 +1,26 @@
// -----------------------------------------------------------------------------
// ILicenseExpressionValidator.cs
// Sprint: SPRINT_20260119_015_Concelier_sbom_full_extraction
// Task: TASK-015-007c - SPDX license expression validation
// -----------------------------------------------------------------------------
using System.Collections.Immutable;
using StellaOps.Concelier.SbomIntegration.Models;
namespace StellaOps.Concelier.SbomIntegration.Licensing;
public interface ILicenseExpressionValidator
{
LicenseValidationResult Validate(ParsedLicenseExpression expression);
LicenseValidationResult ValidateString(string spdxExpression);
}
public sealed record LicenseValidationResult
{
public bool IsValid { get; init; }
public ImmutableArray<string> Errors { get; init; } = [];
public ImmutableArray<string> Warnings { get; init; } = [];
public ImmutableArray<string> ReferencedLicenses { get; init; } = [];
public ImmutableArray<string> ReferencedExceptions { get; init; } = [];
public ImmutableArray<string> DeprecatedLicenses { get; init; } = [];
public ImmutableArray<string> UnknownLicenses { get; init; } = [];
}

518
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Licensing/SpdxLicenseExpressionValidator.cs Normal file
View File

@@ -0,0 +1,518 @@
// -----------------------------------------------------------------------------
// SpdxLicenseExpressionValidator.cs
// Sprint: SPRINT_20260119_015_Concelier_sbom_full_extraction
// Task: TASK-015-007c - SPDX license expression validation
// -----------------------------------------------------------------------------
using System.Collections.Immutable;
using System.Linq;
using System.Reflection;
using System.Text.Json;
using StellaOps.Concelier.SbomIntegration.Models;
namespace StellaOps.Concelier.SbomIntegration.Licensing;
public sealed class SpdxLicenseExpressionValidator : ILicenseExpressionValidator
{
private static readonly Lazy<SpdxLicenseCatalog> Catalog = new(LoadCatalog);
public LicenseValidationResult Validate(ParsedLicenseExpression expression)
{
if (expression is null)
{
return LicenseValidationResultBuilder.Invalid("License expression is null.");
}
var context = new LicenseValidationContext();
CollectExpression(expression, context);
return LicenseValidationResultBuilder.FromContext(context);
}
public LicenseValidationResult ValidateString(string spdxExpression)
{
if (string.IsNullOrWhiteSpace(spdxExpression))
{
return LicenseValidationResultBuilder.Invalid("License expression is empty.");
}
var parser = new LicenseExpressionParser(spdxExpression);
if (!parser.TryParse(out var parsed, out var error))
{
return LicenseValidationResultBuilder.Invalid(error ?? "Invalid SPDX license expression.");
}
if (parsed is null)
{
return LicenseValidationResultBuilder.Invalid(error ?? "Invalid SPDX license expression.");
}
return Validate(parsed);
}
private static void CollectExpression(
ParsedLicenseExpression expression,
LicenseValidationContext context)
{
switch (expression)
{
case SimpleLicense simple:
ValidateLicenseId(simple.Id, context);
break;
case OrLater orLater:
ValidateLicenseId(orLater.LicenseId, context);
break;
case WithException withException:
CollectExpression(withException.License, context);
ValidateException(withException.Exception, context);
break;
case ConjunctiveSet conjunctive:
foreach (var member in conjunctive.Members)
{
CollectExpression(member, context);
}
break;
case DisjunctiveSet disjunctive:
foreach (var member in disjunctive.Members)
{
CollectExpression(member, context);
}
break;
}
}
private static void ValidateLicenseId(string licenseId, LicenseValidationContext context)
{
var normalized = NormalizeToken(licenseId);
if (string.IsNullOrWhiteSpace(normalized))
{
context.Errors.Add("License identifier is empty.");
return;
}
context.ReferencedLicenses.Add(normalized);
if (IsSpecialLicense(normalized))
{
return;
}
var catalog = Catalog.Value;
if (IsLicenseRef(normalized))
{
context.UnknownLicenses.Add(normalized);
context.Warnings.Add($"LicenseRef identifier is allowed but not listed: {normalized}");
return;
}
if (!catalog.LicenseIds.Contains(normalized))
{
context.UnknownLicenses.Add(normalized);
context.Errors.Add($"Unknown SPDX license identifier: {normalized}");
return;
}
if (catalog.DeprecatedLicenseIds.Contains(normalized))
{
context.DeprecatedLicenses.Add(normalized);
context.Warnings.Add($"Deprecated SPDX license identifier: {normalized}");
}
}
private static void ValidateException(string exceptionId, LicenseValidationContext context)
{
var normalized = NormalizeToken(exceptionId);
if (string.IsNullOrWhiteSpace(normalized))
{
context.Errors.Add("License exception identifier is empty.");
return;
}
context.ReferencedExceptions.Add(normalized);
var catalog = Catalog.Value;
if (!catalog.ExceptionIds.Contains(normalized))
{
context.Errors.Add($"Unknown SPDX license exception: {normalized}");
}
}
private static string NormalizeToken(string? value)
=> string.IsNullOrWhiteSpace(value) ? string.Empty : value.Trim();
private static bool IsSpecialLicense(string licenseId)
=> string.Equals(licenseId, "NONE", StringComparison.OrdinalIgnoreCase)
|| string.Equals(licenseId, "NOASSERTION", StringComparison.OrdinalIgnoreCase);
private static bool IsLicenseRef(string licenseId)
=> licenseId.StartsWith("LicenseRef-", StringComparison.Ordinal)
|| licenseId.StartsWith("DocumentRef-", StringComparison.Ordinal);
private static SpdxLicenseCatalog LoadCatalog()
{
var assembly = typeof(SpdxLicenseExpressionValidator).Assembly;
var licenseResource = "StellaOps.Concelier.SbomIntegration.Resources.spdx-license-list-3.21.json";
var exceptionResource = "StellaOps.Concelier.SbomIntegration.Resources.spdx-license-exceptions-3.21.json";
var licenseCatalog = LoadLicenses(assembly, licenseResource);
var exceptionIds = LoadExceptions(assembly, exceptionResource);
return licenseCatalog with
{
ExceptionIds = exceptionIds
};
}
private static SpdxLicenseCatalog LoadLicenses(Assembly assembly, string resourceName)
{
using var stream = assembly.GetManifestResourceStream(resourceName)
?? throw new InvalidOperationException($"Missing embedded resource: {resourceName}");
using var document = JsonDocument.Parse(stream);
var version = GetStringProperty(document.RootElement, "licenseListVersion") ?? "unknown";
if (!document.RootElement.TryGetProperty("licenses", out var licenses) ||
licenses.ValueKind != JsonValueKind.Array)
{
return new SpdxLicenseCatalog
{
Version = version,
LicenseIds = ImmutableHashSet<string>.Empty,
DeprecatedLicenseIds = ImmutableHashSet<string>.Empty,
ExceptionIds = ImmutableHashSet<string>.Empty
};
}
var licenseIds = ImmutableHashSet.CreateBuilder<string>(StringComparer.Ordinal);
var deprecated = ImmutableHashSet.CreateBuilder<string>(StringComparer.Ordinal);
foreach (var entry in licenses.EnumerateArray())
{
var id = GetStringProperty(entry, "licenseId");
if (string.IsNullOrWhiteSpace(id))
{
continue;
}
licenseIds.Add(id);
if (GetBooleanProperty(entry, "isDeprecatedLicenseId"))
{
deprecated.Add(id);
}
}
return new SpdxLicenseCatalog
{
Version = version,
LicenseIds = licenseIds.ToImmutable(),
DeprecatedLicenseIds = deprecated.ToImmutable(),
ExceptionIds = ImmutableHashSet<string>.Empty
};
}
private static ImmutableHashSet<string> LoadExceptions(Assembly assembly, string resourceName)
{
using var stream = assembly.GetManifestResourceStream(resourceName)
?? throw new InvalidOperationException($"Missing embedded resource: {resourceName}");
using var document = JsonDocument.Parse(stream);
if (!document.RootElement.TryGetProperty("exceptions", out var exceptions) ||
exceptions.ValueKind != JsonValueKind.Array)
{
return ImmutableHashSet<string>.Empty;
}
var exceptionIds = ImmutableHashSet.CreateBuilder<string>(StringComparer.Ordinal);
foreach (var entry in exceptions.EnumerateArray())
{
var id = GetStringProperty(entry, "licenseExceptionId");
if (!string.IsNullOrWhiteSpace(id))
{
exceptionIds.Add(id);
}
}
return exceptionIds.ToImmutable();
}
private static string? GetStringProperty(JsonElement element, string propertyName)
{
if (element.TryGetProperty(propertyName, out var prop) &&
prop.ValueKind == JsonValueKind.String)
{
return prop.GetString();
}
return null;
}
private static bool GetBooleanProperty(JsonElement element, string propertyName)
{
if (element.TryGetProperty(propertyName, out var prop))
{
if (prop.ValueKind == JsonValueKind.True)
{
return true;
}
if (prop.ValueKind == JsonValueKind.False)
{
return false;
}
}
return false;
}
private sealed record SpdxLicenseCatalog
{
public required string Version { get; init; }
public required ImmutableHashSet<string> LicenseIds { get; init; }
public required ImmutableHashSet<string> DeprecatedLicenseIds { get; init; }
public required ImmutableHashSet<string> ExceptionIds { get; init; }
}
private sealed class LicenseValidationContext
{
public HashSet<string> ReferencedLicenses { get; } = new(StringComparer.Ordinal);
public HashSet<string> ReferencedExceptions { get; } = new(StringComparer.Ordinal);
public HashSet<string> DeprecatedLicenses { get; } = new(StringComparer.Ordinal);
public HashSet<string> UnknownLicenses { get; } = new(StringComparer.Ordinal);
public List<string> Errors { get; } = [];
public List<string> Warnings { get; } = [];
}
private static class LicenseValidationResultBuilder
{
public static LicenseValidationResult Invalid(string error)
{
return new LicenseValidationResult
{
IsValid = false,
Errors = [error]
};
}
public static LicenseValidationResult FromContext(LicenseValidationContext context)
{
var errors = ToSortedImmutable(context.Errors);
var warnings = ToSortedImmutable(context.Warnings);
return new LicenseValidationResult
{
IsValid = errors.Length == 0,
Errors = errors,
Warnings = warnings,
ReferencedLicenses = ToSortedImmutable(context.ReferencedLicenses),
ReferencedExceptions = ToSortedImmutable(context.ReferencedExceptions),
DeprecatedLicenses = ToSortedImmutable(context.DeprecatedLicenses),
UnknownLicenses = ToSortedImmutable(context.UnknownLicenses)
};
}
private static ImmutableArray<string> ToSortedImmutable(IEnumerable<string> values)
{
return values
.Where(value => !string.IsNullOrWhiteSpace(value))
.Distinct(StringComparer.Ordinal)
.OrderBy(value => value, StringComparer.Ordinal)
.ToImmutableArray();
}
}
private sealed class LicenseExpressionParser
{
private readonly IReadOnlyList<Token> _tokens;
private int _index;
public LicenseExpressionParser(string expression)
{
_tokens = Tokenize(expression);
}
public bool TryParse(out ParsedLicenseExpression? expression, out string? error)
{
error = null;
expression = null;
try
{
if (_tokens.Count == 0)
{
error = "License expression is empty.";
return false;
}
expression = ParseOr();
if (!IsAtEnd())
{
error = "Unexpected trailing tokens in license expression.";
return false;
}
return true;
}
catch (FormatException ex)
{
error = ex.Message;
return false;
}
}
private ParsedLicenseExpression ParseOr()
{
var members = new List<ParsedLicenseExpression> { ParseAnd() };
while (Match(TokenKind.Or))
{
members.Add(ParseAnd());
}
return members.Count == 1
? members[0]
: new DisjunctiveSet(members.ToImmutableArray());
}
private ParsedLicenseExpression ParseAnd()
{
var members = new List<ParsedLicenseExpression> { ParseWith() };
while (Match(TokenKind.And))
{
members.Add(ParseWith());
}
return members.Count == 1
? members[0]
: new ConjunctiveSet(members.ToImmutableArray());
}
private ParsedLicenseExpression ParseWith()
{
var primary = ParsePrimary();
if (!Match(TokenKind.With))
{
return primary;
}
var exception = Expect(TokenKind.Identifier);
return new WithException(primary, exception.Value);
}
private ParsedLicenseExpression ParsePrimary()
{
if (Match(TokenKind.LeftParen))
{
var inner = ParseOr();
Expect(TokenKind.RightParen);
return inner;
}
var token = Expect(TokenKind.Identifier);
return BuildLicense(token.Value);
}
private static ParsedLicenseExpression BuildLicense(string value)
{
if (value.EndsWith("+", StringComparison.Ordinal) && value.Length > 1)
{
return new OrLater(value[..^1]);
}
return new SimpleLicense(value);
}
private bool Match(TokenKind kind)
{
if (IsAtEnd() || _tokens[_index].Kind != kind)
{
return false;
}
_index++;
return true;
}
private Token Expect(TokenKind kind)
{
if (IsAtEnd() || _tokens[_index].Kind != kind)
{
throw new FormatException("Invalid SPDX license expression.");
}
return _tokens[_index++];
}
private bool IsAtEnd() => _index >= _tokens.Count;
private static IReadOnlyList<Token> Tokenize(string expression)
{
var tokens = new List<Token>();
var span = expression.AsSpan();
var index = 0;
while (index < span.Length)
{
var current = span[index];
if (char.IsWhiteSpace(current))
{
index++;
continue;
}
if (current == '(')
{
tokens.Add(new Token(TokenKind.LeftParen, "("));
index++;
continue;
}
if (current == ')')
{
tokens.Add(new Token(TokenKind.RightParen, ")"));
index++;
continue;
}
var start = index;
while (index < span.Length &&
!char.IsWhiteSpace(span[index]) &&
span[index] != '(' &&
span[index] != ')')
{
index++;
}
var value = span[start..index].ToString();
tokens.Add(ToToken(value));
}
return tokens;
}
private static Token ToToken(string value)
{
if (string.Equals(value, "AND", StringComparison.OrdinalIgnoreCase))
{
return new Token(TokenKind.And, value);
}
if (string.Equals(value, "OR", StringComparison.OrdinalIgnoreCase))
{
return new Token(TokenKind.Or, value);
}
if (string.Equals(value, "WITH", StringComparison.OrdinalIgnoreCase))
{
return new Token(TokenKind.With, value);
}
return new Token(TokenKind.Identifier, value);
}
private readonly record struct Token(TokenKind Kind, string Value);
private enum TokenKind
{
Identifier,
And,
Or,
With,
LeftParen,
RightParen
}
}
}

211
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Matching/SbomAdvisoryMatcher.cs
View File

@@ -6,11 +6,14 @@
// -----------------------------------------------------------------------------
using System.Collections.Concurrent;
using System.Collections.Immutable;
using System.Security.Cryptography;
using System.Text;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Concelier.Core.Canonical;
using StellaOps.Concelier.SbomIntegration.Models;
using StellaOps.Concelier.SbomIntegration.Vex;
namespace StellaOps.Concelier.SbomIntegration.Matching;
@@ -22,15 +25,27 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
private readonly ICanonicalAdvisoryService _canonicalService;
private readonly ILogger<SbomAdvisoryMatcher> _logger;
private readonly TimeProvider _timeProvider;
private readonly IVexConsumer? _vexConsumer;
private readonly ISbomRepository? _sbomRepository;
private readonly IVexConsumptionPolicyLoader? _policyLoader;
private readonly VexConsumptionOptions _vexOptions;
public SbomAdvisoryMatcher(
ICanonicalAdvisoryService canonicalService,
ILogger<SbomAdvisoryMatcher> logger,
TimeProvider? timeProvider = null)
TimeProvider? timeProvider = null,
IVexConsumer? vexConsumer = null,
ISbomRepository? sbomRepository = null,
IVexConsumptionPolicyLoader? policyLoader = null,
IOptions<VexConsumptionOptions>? vexOptions = null)
{
_canonicalService = canonicalService ?? throw new ArgumentNullException(nameof(canonicalService));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_timeProvider = timeProvider ?? TimeProvider.System;
_vexConsumer = vexConsumer;
_sbomRepository = sbomRepository;
_policyLoader = policyLoader;
_vexOptions = vexOptions?.Value ?? new VexConsumptionOptions();
}
/// <inheritdoc />
@@ -50,6 +65,9 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
return [];
}
var vexContext = await BuildVexContextAsync(sbomDigest, cancellationToken)
.ConfigureAwait(false);
_logger.LogDebug("Matching {PurlCount} PURLs against canonical advisories", purlList.Count);
var matches = new ConcurrentBag<SbomAdvisoryMatch>();
@@ -69,6 +87,7 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
purl,
reachabilityMap,
deploymentMap,
vexContext,
cancellationToken).ConfigureAwait(false);
foreach (var match in purlMatches)
@@ -155,6 +174,7 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
string purl,
IReadOnlyDictionary<string, bool>? reachabilityMap,
IReadOnlyDictionary<string, bool>? deploymentMap,
VexContext? vexContext,
CancellationToken cancellationToken)
{
try
@@ -172,18 +192,33 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
var matchMethod = DetermineMatchMethod(purl);
var matchedAt = _timeProvider.GetUtcNow();
return advisories.Select(advisory => new SbomAdvisoryMatch
var results = new List<SbomAdvisoryMatch>();
foreach (var advisory in advisories)
{
Id = ComputeDeterministicMatchId(sbomDigest, purl, advisory.Id),
SbomId = sbomId,
SbomDigest = sbomDigest,
CanonicalId = advisory.Id,
Purl = purl,
Method = matchMethod,
IsReachable = isReachable,
IsDeployed = isDeployed,
MatchedAt = matchedAt
}).ToList();
if (ShouldFilterByVex(advisory, purl, vexContext))
{
_logger.LogDebug(
"Filtered advisory {CanonicalId} for PURL {Purl} due to VEX status",
advisory.Id,
purl);
continue;
}
results.Add(new SbomAdvisoryMatch
{
Id = ComputeDeterministicMatchId(sbomDigest, purl, advisory.Id),
SbomId = sbomId,
SbomDigest = sbomDigest,
CanonicalId = advisory.Id,
Purl = purl,
Method = matchMethod,
IsReachable = isReachable,
IsDeployed = isDeployed,
MatchedAt = matchedAt
});
}
return results;
}
catch (Exception ex)
{
@@ -293,4 +328,156 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
var hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(input))[..16];
return new Guid(hashBytes);
}
private async Task<VexContext?> BuildVexContextAsync(string sbomDigest, CancellationToken cancellationToken)
{
if (_vexConsumer is null || _sbomRepository is null || _policyLoader is null)
{
return null;
}
if (!_vexOptions.Enabled || _vexOptions.IgnoreVex)
{
return null;
}
if (string.IsNullOrWhiteSpace(sbomDigest))
{
return null;
}
var sbom = await _sbomRepository.GetByArtifactDigestAsync(sbomDigest, cancellationToken)
.ConfigureAwait(false);
if (sbom is null)
{
return null;
}
var policy = await _policyLoader.LoadAsync(_vexOptions.PolicyPath, cancellationToken)
.ConfigureAwait(false);
policy = ApplyOverrides(policy);
VexConsumptionResult result;
if (_vexConsumer is VexConsumer consumer)
{
result = await consumer.ConsumeFromSbomAsync(sbom, policy, cancellationToken)
.ConfigureAwait(false);
}
else
{
result = await _vexConsumer.ConsumeAsync(sbom.Vulnerabilities, policy, cancellationToken)
.ConfigureAwait(false);
}
var lookup = result.Statements
.GroupBy(statement => statement.VulnerabilityId, StringComparer.OrdinalIgnoreCase)
.ToDictionary(
group => group.Key,
group => SelectPreferredStatement(group.ToList()),
StringComparer.OrdinalIgnoreCase);
return new VexContext(policy, lookup);
}
private static ConsumedVexStatement SelectPreferredStatement(IReadOnlyList<ConsumedVexStatement> statements)
{
return statements
.OrderByDescending(statement => statement.TrustLevel.ToRank())
.ThenByDescending(statement => statement.Timestamp ?? DateTimeOffset.MinValue)
.First();
}
private VexConsumptionPolicy ApplyOverrides(VexConsumptionPolicy policy)
{
if (_vexOptions.TrustEmbeddedVex.HasValue)
{
policy = policy with { TrustEmbeddedVex = _vexOptions.TrustEmbeddedVex.Value };
}
if (_vexOptions.MinimumTrustLevel.HasValue)
{
policy = policy with { MinimumTrustLevel = _vexOptions.MinimumTrustLevel.Value };
}
if (_vexOptions.FilterNotAffected.HasValue)
{
policy = policy with { FilterNotAffected = _vexOptions.FilterNotAffected.Value };
}
if (_vexOptions.ExternalVexSources is { Length: > 0 })
{
policy = policy with
{
MergePolicy = policy.MergePolicy with
{
ExternalSources = BuildExternalSources(_vexOptions.ExternalVexSources)
}
};
}
return policy;
}
private static ImmutableArray<VexExternalSource> BuildExternalSources(string[] sources)
{
return sources
.Where(source => !string.IsNullOrWhiteSpace(source))
.Select(source => new VexExternalSource
{
Type = "external",
Url = source.Trim()
})
.ToImmutableArray();
}
private static bool ShouldFilterByVex(
CanonicalAdvisory advisory,
string purl,
VexContext? vexContext)
{
if (vexContext is null)
{
return false;
}
if (!vexContext.Statements.TryGetValue(advisory.Cve, out var statement))
{
return false;
}
if (!AppliesToComponent(statement, purl))
{
return false;
}
return statement.Status == VexStatus.NotAffected && vexContext.Policy.FilterNotAffected;
}
private static bool AppliesToComponent(ConsumedVexStatement statement, string purl)
{
if (statement.AffectedComponents.IsDefaultOrEmpty)
{
return true;
}
var normalized = NormalizePurl(purl);
foreach (var component in statement.AffectedComponents)
{
if (string.IsNullOrWhiteSpace(component))
{
continue;
}
if (string.Equals(NormalizePurl(component), normalized, StringComparison.OrdinalIgnoreCase))
{
return true;
}
}
return false;
}
private sealed record VexContext(
VexConsumptionPolicy Policy,
IReadOnlyDictionary<string, ConsumedVexStatement> Statements);
}

39
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Models/ParsedSbom.cs
View File

@@ -26,6 +26,7 @@ public sealed record ParsedSbom
public ParsedDeclarations? Declarations { get; init; }
public ParsedDefinitions? Definitions { get; init; }
public ImmutableArray<ParsedAnnotation> Annotations { get; init; } = [];
public ParsedSignature? Signature { get; init; }
public required ParsedSbomMetadata Metadata { get; init; }
}
@@ -42,6 +43,7 @@ public sealed record ParsedSbomMetadata
public string? Supplier { get; init; }
public string? Manufacturer { get; init; }
public ImmutableArray<string> Profiles { get; init; } = [];
public ImmutableArray<string> SbomTypes { get; init; } = [];
public ImmutableArray<ParsedNamespaceMapEntry> NamespaceMap { get; init; } = [];
public ImmutableArray<string> Imports { get; init; } = [];
public string? RootComponentRef { get; init; }
@@ -76,12 +78,38 @@ public sealed record ParsedComponent
public ParsedPedigree? Pedigree { get; init; }
public ParsedCryptoProperties? CryptoProperties { get; init; }
public ParsedModelCard? ModelCard { get; init; }
public ParsedSwid? Swid { get; init; }
public ParsedDatasetMetadata? DatasetMetadata { get; init; }
public ParsedOrganization? Supplier { get; init; }
public ParsedOrganization? Manufacturer { get; init; }
public ComponentScope Scope { get; init; } = ComponentScope.Required;
public bool Modified { get; init; }
}
public sealed record ParsedSwid
{
public string? TagId { get; init; }
public string? Name { get; init; }
public string? Version { get; init; }
public int? TagVersion { get; init; }
public bool? Patch { get; init; }
}
public sealed record ParsedDatasetMetadata
{
public string? DatasetType { get; init; }
public string? DataCollectionProcess { get; init; }
public string? DataPreprocessing { get; init; }
public string? DatasetSize { get; init; }
public string? IntendedUse { get; init; }
public string? KnownBias { get; init; }
public ImmutableArray<string> SensitivePersonalInformation { get; init; } = [];
public string? Sensor { get; init; }
public string? Availability { get; init; }
public string? ConfidentialityLevel { get; init; }
public bool? HasSensitivePersonalInformation { get; init; }
}
public enum ComponentScope
{
Required,
@@ -449,6 +477,17 @@ public sealed record ParsedModelParameters
public string? EnergyConsumption { get; init; }
public ImmutableDictionary<string, string> Hyperparameters { get; init; } =
ImmutableDictionary<string, string>.Empty;
public string? InformationAboutApplication { get; init; }
public string? InformationAboutTraining { get; init; }
public string? Limitation { get; init; }
public ImmutableArray<string> Metrics { get; init; } = [];
public ImmutableArray<string> MetricDecisionThresholds { get; init; } = [];
public string? ModelDataPreprocessing { get; init; }
public string? ModelExplainability { get; init; }
public string? SafetyRiskAssessment { get; init; }
public ImmutableArray<string> SensitivePersonalInformation { get; init; } = [];
public ImmutableArray<string> StandardCompliance { get; init; } = [];
public bool? UseSensitivePersonalInformation { get; init; }
}
public sealed record ParsedDatasetRef

2566
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs
View File

File diff suppressed because it is too large Load Diff

643
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Resources/spdx-license-exceptions-3.21.json Normal file
View File

@@ -0,0 +1,643 @@
{
"licenseListVersion": "3.21",
"exceptions": [
{
"reference": "./389-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./389-exception.html",
"referenceNumber": 48,
"name": "389 Directory Server Exception",
"licenseExceptionId": "389-exception",
"seeAlso": [
"http://directory.fedoraproject.org/wiki/GPL_Exception_License_Text",
"https://web.archive.org/web/20080828121337/http://directory.fedoraproject.org/wiki/GPL_Exception_License_Text"
]
},
{
"reference": "./Asterisk-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Asterisk-exception.html",
"referenceNumber": 33,
"name": "Asterisk exception",
"licenseExceptionId": "Asterisk-exception",
"seeAlso": [
"https://github.com/asterisk/libpri/blob/7f91151e6bd10957c746c031c1f4a030e8146e9a/pri.c#L22",
"https://github.com/asterisk/libss7/blob/03e81bcd0d28ff25d4c77c78351ddadc82ff5c3f/ss7.c#L24"
]
},
{
"reference": "./Autoconf-exception-2.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Autoconf-exception-2.0.html",
"referenceNumber": 42,
"name": "Autoconf exception 2.0",
"licenseExceptionId": "Autoconf-exception-2.0",
"seeAlso": [
"http://ac-archive.sourceforge.net/doc/copyright.html",
"http://ftp.gnu.org/gnu/autoconf/autoconf-2.59.tar.gz"
]
},
{
"reference": "./Autoconf-exception-3.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Autoconf-exception-3.0.html",
"referenceNumber": 41,
"name": "Autoconf exception 3.0",
"licenseExceptionId": "Autoconf-exception-3.0",
"seeAlso": [
"http://www.gnu.org/licenses/autoconf-exception-3.0.html"
]
},
{
"reference": "./Autoconf-exception-generic.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Autoconf-exception-generic.html",
"referenceNumber": 4,
"name": "Autoconf generic exception",
"licenseExceptionId": "Autoconf-exception-generic",
"seeAlso": [
"https://launchpad.net/ubuntu/precise/+source/xmltooling/+copyright",
"https://tracker.debian.org/media/packages/s/sipwitch/copyright-1.9.15-3",
"https://opensource.apple.com/source/launchd/launchd-258.1/launchd/compile.auto.html"
]
},
{
"reference": "./Autoconf-exception-macro.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Autoconf-exception-macro.html",
"referenceNumber": 19,
"name": "Autoconf macro exception",
"licenseExceptionId": "Autoconf-exception-macro",
"seeAlso": [
"https://github.com/freedesktop/xorg-macros/blob/39f07f7db58ebbf3dcb64a2bf9098ed5cf3d1223/xorg-macros.m4.in",
"https://www.gnu.org/software/autoconf-archive/ax_pthread.html",
"https://launchpad.net/ubuntu/precise/+source/xmltooling/+copyright"
]
},
{
"reference": "./Bison-exception-2.2.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Bison-exception-2.2.html",
"referenceNumber": 11,
"name": "Bison exception 2.2",
"licenseExceptionId": "Bison-exception-2.2",
"seeAlso": [
"http://git.savannah.gnu.org/cgit/bison.git/tree/data/yacc.c?id\u003d193d7c7054ba7197b0789e14965b739162319b5e#n141"
]
},
{
"reference": "./Bootloader-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Bootloader-exception.html",
"referenceNumber": 50,
"name": "Bootloader Distribution Exception",
"licenseExceptionId": "Bootloader-exception",
"seeAlso": [
"https://github.com/pyinstaller/pyinstaller/blob/develop/COPYING.txt"
]
},
{
"reference": "./Classpath-exception-2.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Classpath-exception-2.0.html",
"referenceNumber": 36,
"name": "Classpath exception 2.0",
"licenseExceptionId": "Classpath-exception-2.0",
"seeAlso": [
"http://www.gnu.org/software/classpath/license.html",
"https://fedoraproject.org/wiki/Licensing/GPL_Classpath_Exception"
]
},
{
"reference": "./CLISP-exception-2.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./CLISP-exception-2.0.html",
"referenceNumber": 9,
"name": "CLISP exception 2.0",
"licenseExceptionId": "CLISP-exception-2.0",
"seeAlso": [
"http://sourceforge.net/p/clisp/clisp/ci/default/tree/COPYRIGHT"
]
},
{
"reference": "./cryptsetup-OpenSSL-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./cryptsetup-OpenSSL-exception.html",
"referenceNumber": 39,
"name": "cryptsetup OpenSSL exception",
"licenseExceptionId": "cryptsetup-OpenSSL-exception",
"seeAlso": [
"https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/COPYING",
"https://gitlab.nic.cz/datovka/datovka/-/blob/develop/COPYING",
"https://github.com/nbs-system/naxsi/blob/951123ad456bdf5ac94e8d8819342fe3d49bc002/naxsi_src/naxsi_raw.c",
"http://web.mit.edu/jgross/arch/amd64_deb60/bin/mosh"
]
},
{
"reference": "./DigiRule-FOSS-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./DigiRule-FOSS-exception.html",
"referenceNumber": 20,
"name": "DigiRule FOSS License Exception",
"licenseExceptionId": "DigiRule-FOSS-exception",
"seeAlso": [
"http://www.digirulesolutions.com/drupal/foss"
]
},
{
"reference": "./eCos-exception-2.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./eCos-exception-2.0.html",
"referenceNumber": 38,
"name": "eCos exception 2.0",
"licenseExceptionId": "eCos-exception-2.0",
"seeAlso": [
"http://ecos.sourceware.org/license-overview.html"
]
},
{
"reference": "./Fawkes-Runtime-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Fawkes-Runtime-exception.html",
"referenceNumber": 8,
"name": "Fawkes Runtime Exception",
"licenseExceptionId": "Fawkes-Runtime-exception",
"seeAlso": [
"http://www.fawkesrobotics.org/about/license/"
]
},
{
"reference": "./FLTK-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./FLTK-exception.html",
"referenceNumber": 18,
"name": "FLTK exception",
"licenseExceptionId": "FLTK-exception",
"seeAlso": [
"http://www.fltk.org/COPYING.php"
]
},
{
"reference": "./Font-exception-2.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Font-exception-2.0.html",
"referenceNumber": 7,
"name": "Font exception 2.0",
"licenseExceptionId": "Font-exception-2.0",
"seeAlso": [
"http://www.gnu.org/licenses/gpl-faq.html#FontException"
]
},
{
"reference": "./freertos-exception-2.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./freertos-exception-2.0.html",
"referenceNumber": 47,
"name": "FreeRTOS Exception 2.0",
"licenseExceptionId": "freertos-exception-2.0",
"seeAlso": [
"https://web.archive.org/web/20060809182744/http://www.freertos.org/a00114.html"
]
},
{
"reference": "./GCC-exception-2.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./GCC-exception-2.0.html",
"referenceNumber": 54,
"name": "GCC Runtime Library exception 2.0",
"licenseExceptionId": "GCC-exception-2.0",
"seeAlso": [
"https://gcc.gnu.org/git/?p\u003dgcc.git;a\u003dblob;f\u003dgcc/libgcc1.c;h\u003d762f5143fc6eed57b6797c82710f3538aa52b40b;hb\u003dcb143a3ce4fb417c68f5fa2691a1b1b1053dfba9#l10"
]
},
{
"reference": "./GCC-exception-3.1.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./GCC-exception-3.1.html",
"referenceNumber": 27,
"name": "GCC Runtime Library exception 3.1",
"licenseExceptionId": "GCC-exception-3.1",
"seeAlso": [
"http://www.gnu.org/licenses/gcc-exception-3.1.html"
]
},
{
"reference": "./GNAT-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./GNAT-exception.html",
"referenceNumber": 13,
"name": "GNAT exception",
"licenseExceptionId": "GNAT-exception",
"seeAlso": [
"https://github.com/AdaCore/florist/blob/master/libsrc/posix-configurable_file_limits.adb"
]
},
{
"reference": "./gnu-javamail-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./gnu-javamail-exception.html",
"referenceNumber": 34,
"name": "GNU JavaMail exception",
"licenseExceptionId": "gnu-javamail-exception",
"seeAlso": [
"http://www.gnu.org/software/classpathx/javamail/javamail.html"
]
},
{
"reference": "./GPL-3.0-interface-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./GPL-3.0-interface-exception.html",
"referenceNumber": 21,
"name": "GPL-3.0 Interface Exception",
"licenseExceptionId": "GPL-3.0-interface-exception",
"seeAlso": [
"https://www.gnu.org/licenses/gpl-faq.en.html#LinkingOverControlledInterface"
]
},
{
"reference": "./GPL-3.0-linking-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./GPL-3.0-linking-exception.html",
"referenceNumber": 1,
"name": "GPL-3.0 Linking Exception",
"licenseExceptionId": "GPL-3.0-linking-exception",
"seeAlso": [
"https://www.gnu.org/licenses/gpl-faq.en.html#GPLIncompatibleLibs"
]
},
{
"reference": "./GPL-3.0-linking-source-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./GPL-3.0-linking-source-exception.html",
"referenceNumber": 37,
"name": "GPL-3.0 Linking Exception (with Corresponding Source)",
"licenseExceptionId": "GPL-3.0-linking-source-exception",
"seeAlso": [
"https://www.gnu.org/licenses/gpl-faq.en.html#GPLIncompatibleLibs",
"https://github.com/mirror/wget/blob/master/src/http.c#L20"
]
},
{
"reference": "./GPL-CC-1.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./GPL-CC-1.0.html",
"referenceNumber": 52,
"name": "GPL Cooperation Commitment 1.0",
"licenseExceptionId": "GPL-CC-1.0",
"seeAlso": [
"https://github.com/gplcc/gplcc/blob/master/Project/COMMITMENT",
"https://gplcc.github.io/gplcc/Project/README-PROJECT.html"
]
},
{
"reference": "./GStreamer-exception-2005.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./GStreamer-exception-2005.html",
"referenceNumber": 35,
"name": "GStreamer Exception (2005)",
"licenseExceptionId": "GStreamer-exception-2005",
"seeAlso": [
"https://gstreamer.freedesktop.org/documentation/frequently-asked-questions/licensing.html?gi-language\u003dc#licensing-of-applications-using-gstreamer"
]
},
{
"reference": "./GStreamer-exception-2008.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./GStreamer-exception-2008.html",
"referenceNumber": 30,
"name": "GStreamer Exception (2008)",
"licenseExceptionId": "GStreamer-exception-2008",
"seeAlso": [
"https://gstreamer.freedesktop.org/documentation/frequently-asked-questions/licensing.html?gi-language\u003dc#licensing-of-applications-using-gstreamer"
]
},
{
"reference": "./i2p-gpl-java-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./i2p-gpl-java-exception.html",
"referenceNumber": 40,
"name": "i2p GPL+Java Exception",
"licenseExceptionId": "i2p-gpl-java-exception",
"seeAlso": [
"http://geti2p.net/en/get-involved/develop/licenses#java_exception"
]
},
{
"reference": "./KiCad-libraries-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./KiCad-libraries-exception.html",
"referenceNumber": 28,
"name": "KiCad Libraries Exception",
"licenseExceptionId": "KiCad-libraries-exception",
"seeAlso": [
"https://www.kicad.org/libraries/license/"
]
},
{
"reference": "./LGPL-3.0-linking-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./LGPL-3.0-linking-exception.html",
"referenceNumber": 2,
"name": "LGPL-3.0 Linking Exception",
"licenseExceptionId": "LGPL-3.0-linking-exception",
"seeAlso": [
"https://raw.githubusercontent.com/go-xmlpath/xmlpath/v2/LICENSE",
"https://github.com/goamz/goamz/blob/master/LICENSE",
"https://github.com/juju/errors/blob/master/LICENSE"
]
},
{
"reference": "./libpri-OpenH323-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./libpri-OpenH323-exception.html",
"referenceNumber": 32,
"name": "libpri OpenH323 exception",
"licenseExceptionId": "libpri-OpenH323-exception",
"seeAlso": [
"https://github.com/asterisk/libpri/blob/1.6.0/README#L19-L22"
]
},
{
"reference": "./Libtool-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Libtool-exception.html",
"referenceNumber": 17,
"name": "Libtool Exception",
"licenseExceptionId": "Libtool-exception",
"seeAlso": [
"http://git.savannah.gnu.org/cgit/libtool.git/tree/m4/libtool.m4"
]
},
{
"reference": "./Linux-syscall-note.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Linux-syscall-note.html",
"referenceNumber": 49,
"name": "Linux Syscall Note",
"licenseExceptionId": "Linux-syscall-note",
"seeAlso": [
"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/COPYING"
]
},
{
"reference": "./LLGPL.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./LLGPL.html",
"referenceNumber": 3,
"name": "LLGPL Preamble",
"licenseExceptionId": "LLGPL",
"seeAlso": [
"http://opensource.franz.com/preamble.html"
]
},
{
"reference": "./LLVM-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./LLVM-exception.html",
"referenceNumber": 14,
"name": "LLVM Exception",
"licenseExceptionId": "LLVM-exception",
"seeAlso": [
"http://llvm.org/foundation/relicensing/LICENSE.txt"
]
},
{
"reference": "./LZMA-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./LZMA-exception.html",
"referenceNumber": 55,
"name": "LZMA exception",
"licenseExceptionId": "LZMA-exception",
"seeAlso": [
"http://nsis.sourceforge.net/Docs/AppendixI.html#I.6"
]
},
{
"reference": "./mif-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./mif-exception.html",
"referenceNumber": 53,
"name": "Macros and Inline Functions Exception",
"licenseExceptionId": "mif-exception",
"seeAlso": [
"http://www.scs.stanford.edu/histar/src/lib/cppsup/exception",
"http://dev.bertos.org/doxygen/",
"https://www.threadingbuildingblocks.org/licensing"
]
},
{
"reference": "./Nokia-Qt-exception-1.1.json",
"isDeprecatedLicenseId": true,
"detailsUrl": "./Nokia-Qt-exception-1.1.html",
"referenceNumber": 31,
"name": "Nokia Qt LGPL exception 1.1",
"licenseExceptionId": "Nokia-Qt-exception-1.1",
"seeAlso": [
"https://www.keepassx.org/dev/projects/keepassx/repository/revisions/b8dfb9cc4d5133e0f09cd7533d15a4f1c19a40f2/entry/LICENSE.NOKIA-LGPL-EXCEPTION"
]
},
{
"reference": "./OCaml-LGPL-linking-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./OCaml-LGPL-linking-exception.html",
"referenceNumber": 29,
"name": "OCaml LGPL Linking Exception",
"licenseExceptionId": "OCaml-LGPL-linking-exception",
"seeAlso": [
"https://caml.inria.fr/ocaml/license.en.html"
]
},
{
"reference": "./OCCT-exception-1.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./OCCT-exception-1.0.html",
"referenceNumber": 15,
"name": "Open CASCADE Exception 1.0",
"licenseExceptionId": "OCCT-exception-1.0",
"seeAlso": [
"http://www.opencascade.com/content/licensing"
]
},
{
"reference": "./OpenJDK-assembly-exception-1.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./OpenJDK-assembly-exception-1.0.html",
"referenceNumber": 24,
"name": "OpenJDK Assembly exception 1.0",
"licenseExceptionId": "OpenJDK-assembly-exception-1.0",
"seeAlso": [
"http://openjdk.java.net/legal/assembly-exception.html"
]
},
{
"reference": "./openvpn-openssl-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./openvpn-openssl-exception.html",
"referenceNumber": 43,
"name": "OpenVPN OpenSSL Exception",
"licenseExceptionId": "openvpn-openssl-exception",
"seeAlso": [
"http://openvpn.net/index.php/license.html"
]
},
{
"reference": "./PS-or-PDF-font-exception-20170817.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./PS-or-PDF-font-exception-20170817.html",
"referenceNumber": 45,
"name": "PS/PDF font exception (2017-08-17)",
"licenseExceptionId": "PS-or-PDF-font-exception-20170817",
"seeAlso": [
"https://github.com/ArtifexSoftware/urw-base35-fonts/blob/65962e27febc3883a17e651cdb23e783668c996f/LICENSE"
]
},
{
"reference": "./QPL-1.0-INRIA-2004-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./QPL-1.0-INRIA-2004-exception.html",
"referenceNumber": 44,
"name": "INRIA QPL 1.0 2004 variant exception",
"licenseExceptionId": "QPL-1.0-INRIA-2004-exception",
"seeAlso": [
"https://git.frama-c.com/pub/frama-c/-/blob/master/licenses/Q_MODIFIED_LICENSE",
"https://github.com/maranget/hevea/blob/master/LICENSE"
]
},
{
"reference": "./Qt-GPL-exception-1.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Qt-GPL-exception-1.0.html",
"referenceNumber": 10,
"name": "Qt GPL exception 1.0",
"licenseExceptionId": "Qt-GPL-exception-1.0",
"seeAlso": [
"http://code.qt.io/cgit/qt/qtbase.git/tree/LICENSE.GPL3-EXCEPT"
]
},
{
"reference": "./Qt-LGPL-exception-1.1.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Qt-LGPL-exception-1.1.html",
"referenceNumber": 16,
"name": "Qt LGPL exception 1.1",
"licenseExceptionId": "Qt-LGPL-exception-1.1",
"seeAlso": [
"http://code.qt.io/cgit/qt/qtbase.git/tree/LGPL_EXCEPTION.txt"
]
},
{
"reference": "./Qwt-exception-1.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Qwt-exception-1.0.html",
"referenceNumber": 51,
"name": "Qwt exception 1.0",
"licenseExceptionId": "Qwt-exception-1.0",
"seeAlso": [
"http://qwt.sourceforge.net/qwtlicense.html"
]
},
{
"reference": "./SHL-2.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./SHL-2.0.html",
"referenceNumber": 26,
"name": "Solderpad Hardware License v2.0",
"licenseExceptionId": "SHL-2.0",
"seeAlso": [
"https://solderpad.org/licenses/SHL-2.0/"
]
},
{
"reference": "./SHL-2.1.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./SHL-2.1.html",
"referenceNumber": 23,
"name": "Solderpad Hardware License v2.1",
"licenseExceptionId": "SHL-2.1",
"seeAlso": [
"https://solderpad.org/licenses/SHL-2.1/"
]
},
{
"reference": "./SWI-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./SWI-exception.html",
"referenceNumber": 22,
"name": "SWI exception",
"licenseExceptionId": "SWI-exception",
"seeAlso": [
"https://github.com/SWI-Prolog/packages-clpqr/blob/bfa80b9270274f0800120d5b8e6fef42ac2dc6a5/clpqr/class.pl"
]
},
{
"reference": "./Swift-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Swift-exception.html",
"referenceNumber": 46,
"name": "Swift Exception",
"licenseExceptionId": "Swift-exception",
"seeAlso": [
"https://swift.org/LICENSE.txt",
"https://github.com/apple/swift-package-manager/blob/7ab2275f447a5eb37497ed63a9340f8a6d1e488b/LICENSE.txt#L205"
]
},
{
"reference": "./u-boot-exception-2.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./u-boot-exception-2.0.html",
"referenceNumber": 5,
"name": "U-Boot exception 2.0",
"licenseExceptionId": "u-boot-exception-2.0",
"seeAlso": [
"http://git.denx.de/?p\u003du-boot.git;a\u003dblob;f\u003dLicenses/Exceptions"
]
},
{
"reference": "./Universal-FOSS-exception-1.0.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./Universal-FOSS-exception-1.0.html",
"referenceNumber": 12,
"name": "Universal FOSS Exception, Version 1.0",
"licenseExceptionId": "Universal-FOSS-exception-1.0",
"seeAlso": [
"https://oss.oracle.com/licenses/universal-foss-exception/"
]
},
{
"reference": "./vsftpd-openssl-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./vsftpd-openssl-exception.html",
"referenceNumber": 56,
"name": "vsftpd OpenSSL exception",
"licenseExceptionId": "vsftpd-openssl-exception",
"seeAlso": [
"https://git.stg.centos.org/source-git/vsftpd/blob/f727873674d9c9cd7afcae6677aa782eb54c8362/f/LICENSE",
"https://launchpad.net/debian/squeeze/+source/vsftpd/+copyright",
"https://github.com/richardcochran/vsftpd/blob/master/COPYING"
]
},
{
"reference": "./WxWindows-exception-3.1.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./WxWindows-exception-3.1.html",
"referenceNumber": 25,
"name": "WxWindows Library Exception 3.1",
"licenseExceptionId": "WxWindows-exception-3.1",
"seeAlso": [
"http://www.opensource.org/licenses/WXwindows"
]
},
{
"reference": "./x11vnc-openssl-exception.json",
"isDeprecatedLicenseId": false,
"detailsUrl": "./x11vnc-openssl-exception.html",
"referenceNumber": 6,
"name": "x11vnc OpenSSL Exception",
"licenseExceptionId": "x11vnc-openssl-exception",
"seeAlso": [
"https://github.com/LibVNC/x11vnc/blob/master/src/8to24.c#L22"
]
}
],
"releaseDate": "2023-06-18"
}

7011
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Resources/spdx-license-list-3.21.json Normal file
View File

File diff suppressed because it is too large Load Diff

211
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/SbomAdvisoryMatcher.cs
View File

@@ -6,11 +6,14 @@
// -----------------------------------------------------------------------------
using System.Collections.Concurrent;
using System.Collections.Immutable;
using System.Security.Cryptography;
using System.Text;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Concelier.Core.Canonical;
using StellaOps.Concelier.SbomIntegration.Models;
using StellaOps.Concelier.SbomIntegration.Vex;
namespace StellaOps.Concelier.SbomIntegration;
@@ -22,15 +25,27 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
private readonly ICanonicalAdvisoryService _canonicalService;
private readonly ILogger<SbomAdvisoryMatcher> _logger;
private readonly TimeProvider _timeProvider;
private readonly IVexConsumer? _vexConsumer;
private readonly ISbomRepository? _sbomRepository;
private readonly IVexConsumptionPolicyLoader? _policyLoader;
private readonly VexConsumptionOptions _vexOptions;
public SbomAdvisoryMatcher(
ICanonicalAdvisoryService canonicalService,
ILogger<SbomAdvisoryMatcher> logger,
TimeProvider? timeProvider = null)
TimeProvider? timeProvider = null,
IVexConsumer? vexConsumer = null,
ISbomRepository? sbomRepository = null,
IVexConsumptionPolicyLoader? policyLoader = null,
IOptions<VexConsumptionOptions>? vexOptions = null)
{
_canonicalService = canonicalService ?? throw new ArgumentNullException(nameof(canonicalService));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_timeProvider = timeProvider ?? TimeProvider.System;
_vexConsumer = vexConsumer;
_sbomRepository = sbomRepository;
_policyLoader = policyLoader;
_vexOptions = vexOptions?.Value ?? new VexConsumptionOptions();
}
/// <inheritdoc />
@@ -50,6 +65,9 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
return [];
}
var vexContext = await BuildVexContextAsync(sbomDigest, cancellationToken)
.ConfigureAwait(false);
_logger.LogDebug("Matching {PurlCount} PURLs against canonical advisories", purlList.Count);
var matches = new ConcurrentBag<SbomAdvisoryMatch>();
@@ -69,6 +87,7 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
purl,
reachabilityMap,
deploymentMap,
vexContext,
cancellationToken).ConfigureAwait(false);
foreach (var match in purlMatches)
@@ -155,6 +174,7 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
string purl,
IReadOnlyDictionary<string, bool>? reachabilityMap,
IReadOnlyDictionary<string, bool>? deploymentMap,
VexContext? vexContext,
CancellationToken cancellationToken)
{
try
@@ -173,18 +193,33 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
var matchedAt = _timeProvider.GetUtcNow();
return advisories.Select(advisory => new SbomAdvisoryMatch
var results = new List<SbomAdvisoryMatch>();
foreach (var advisory in advisories)
{
Id = ComputeDeterministicMatchId(sbomDigest, purl, advisory.Id),
SbomId = sbomId,
SbomDigest = sbomDigest,
CanonicalId = advisory.Id,
Purl = purl,
Method = matchMethod,
IsReachable = isReachable,
IsDeployed = isDeployed,
MatchedAt = matchedAt
}).ToList();
if (ShouldFilterByVex(advisory, purl, vexContext))
{
_logger.LogDebug(
"Filtered advisory {CanonicalId} for PURL {Purl} due to VEX status",
advisory.Id,
purl);
continue;
}
results.Add(new SbomAdvisoryMatch
{
Id = ComputeDeterministicMatchId(sbomDigest, purl, advisory.Id),
SbomId = sbomId,
SbomDigest = sbomDigest,
CanonicalId = advisory.Id,
Purl = purl,
Method = matchMethod,
IsReachable = isReachable,
IsDeployed = isDeployed,
MatchedAt = matchedAt
});
}
return results;
}
catch (Exception ex)
{
@@ -294,4 +329,156 @@ public sealed class SbomAdvisoryMatcher : ISbomAdvisoryMatcher
var hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(input))[..16];
return new Guid(hashBytes);
}
private async Task<VexContext?> BuildVexContextAsync(string sbomDigest, CancellationToken cancellationToken)
{
if (_vexConsumer is null || _sbomRepository is null || _policyLoader is null)
{
return null;
}
if (!_vexOptions.Enabled || _vexOptions.IgnoreVex)
{
return null;
}
if (string.IsNullOrWhiteSpace(sbomDigest))
{
return null;
}
var sbom = await _sbomRepository.GetByArtifactDigestAsync(sbomDigest, cancellationToken)
.ConfigureAwait(false);
if (sbom is null)
{
return null;
}
var policy = await _policyLoader.LoadAsync(_vexOptions.PolicyPath, cancellationToken)
.ConfigureAwait(false);
policy = ApplyOverrides(policy);
VexConsumptionResult result;
if (_vexConsumer is VexConsumer consumer)
{
result = await consumer.ConsumeFromSbomAsync(sbom, policy, cancellationToken)
.ConfigureAwait(false);
}
else
{
result = await _vexConsumer.ConsumeAsync(sbom.Vulnerabilities, policy, cancellationToken)
.ConfigureAwait(false);
}
var lookup = result.Statements
.GroupBy(statement => statement.VulnerabilityId, StringComparer.OrdinalIgnoreCase)
.ToDictionary(
group => group.Key,
group => SelectPreferredStatement(group.ToList()),
StringComparer.OrdinalIgnoreCase);
return new VexContext(policy, lookup);
}
private static ConsumedVexStatement SelectPreferredStatement(IReadOnlyList<ConsumedVexStatement> statements)
{
return statements
.OrderByDescending(statement => statement.TrustLevel.ToRank())
.ThenByDescending(statement => statement.Timestamp ?? DateTimeOffset.MinValue)
.First();
}
private VexConsumptionPolicy ApplyOverrides(VexConsumptionPolicy policy)
{
if (_vexOptions.TrustEmbeddedVex.HasValue)
{
policy = policy with { TrustEmbeddedVex = _vexOptions.TrustEmbeddedVex.Value };
}
if (_vexOptions.MinimumTrustLevel.HasValue)
{
policy = policy with { MinimumTrustLevel = _vexOptions.MinimumTrustLevel.Value };
}
if (_vexOptions.FilterNotAffected.HasValue)
{
policy = policy with { FilterNotAffected = _vexOptions.FilterNotAffected.Value };
}
if (_vexOptions.ExternalVexSources is { Length: > 0 })
{
policy = policy with
{
MergePolicy = policy.MergePolicy with
{
ExternalSources = BuildExternalSources(_vexOptions.ExternalVexSources)
}
};
}
return policy;
}
private static ImmutableArray<VexExternalSource> BuildExternalSources(string[] sources)
{
return sources
.Where(source => !string.IsNullOrWhiteSpace(source))
.Select(source => new VexExternalSource
{
Type = "external",
Url = source.Trim()
})
.ToImmutableArray();
}
private static bool ShouldFilterByVex(
CanonicalAdvisory advisory,
string purl,
VexContext? vexContext)
{
if (vexContext is null)
{
return false;
}
if (!vexContext.Statements.TryGetValue(advisory.Cve, out var statement))
{
return false;
}
if (!AppliesToComponent(statement, purl))
{
return false;
}
return statement.Status == VexStatus.NotAffected && vexContext.Policy.FilterNotAffected;
}
private static bool AppliesToComponent(ConsumedVexStatement statement, string purl)
{
if (statement.AffectedComponents.IsDefaultOrEmpty)
{
return true;
}
var normalized = NormalizePurl(purl);
foreach (var component in statement.AffectedComponents)
{
if (string.IsNullOrWhiteSpace(component))
{
continue;
}
if (string.Equals(NormalizePurl(component), normalized, StringComparison.OrdinalIgnoreCase))
{
return true;
}
}
return false;
}
private sealed record VexContext(
VexConsumptionPolicy Policy,
IReadOnlyDictionary<string, ConsumedVexStatement> Statements);
}

26
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/ServiceCollectionExtensions.cs
View File

@@ -9,8 +9,10 @@ using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
using StellaOps.Concelier.SbomIntegration.Events;
using StellaOps.Concelier.SbomIntegration.Index;
using StellaOps.Concelier.SbomIntegration.Licensing;
using StellaOps.Concelier.SbomIntegration.Matching;
using StellaOps.Concelier.SbomIntegration.Parsing;
using StellaOps.Concelier.SbomIntegration.Vex;
namespace StellaOps.Concelier.SbomIntegration;
@@ -28,7 +30,17 @@ public static class ServiceCollectionExtensions
{
// Register parser
services.TryAddSingleton<ISbomParser, SbomParser>();
services.TryAddSingleton<IParsedSbomParser, ParsedSbomParser>();
services.TryAddSingleton<IParsedSbomParser, ParsedSbomParser>();
services.TryAddSingleton<ILicenseExpressionValidator, SpdxLicenseExpressionValidator>();
services.AddOptions<VexConsumptionOptions>();
services.TryAddSingleton<IVexConsumptionPolicyLoader, VexConsumptionPolicyLoader>();
services.TryAddSingleton<IVexTrustEvaluator, VexTrustEvaluator>();
services.TryAddSingleton<IVexConflictResolver, VexConflictResolver>();
services.TryAddSingleton<IVexMerger, VexMerger>();
services.TryAddSingleton<IVexStatementExtractor, CycloneDxVexExtractor>();
services.TryAddSingleton<IVexStatementExtractor, SpdxVexExtractor>();
services.TryAddSingleton<IVexConsumer, VexConsumer>();
services.TryAddSingleton<IVexConsumptionReporter, VexConsumptionReporter>();
// Register PURL index (requires Valkey connection)
services.TryAddSingleton<IPurlCanonicalIndex, ValkeyPurlCanonicalIndex>();
@@ -53,7 +65,17 @@ public static class ServiceCollectionExtensions
{
// Register parser
services.TryAddSingleton<ISbomParser, SbomParser>();
services.TryAddSingleton<IParsedSbomParser, ParsedSbomParser>();
services.TryAddSingleton<IParsedSbomParser, ParsedSbomParser>();
services.TryAddSingleton<ILicenseExpressionValidator, SpdxLicenseExpressionValidator>();
services.AddOptions<VexConsumptionOptions>();
services.TryAddSingleton<IVexConsumptionPolicyLoader, VexConsumptionPolicyLoader>();
services.TryAddSingleton<IVexTrustEvaluator, VexTrustEvaluator>();
services.TryAddSingleton<IVexConflictResolver, VexConflictResolver>();
services.TryAddSingleton<IVexMerger, VexMerger>();
services.TryAddSingleton<IVexStatementExtractor, CycloneDxVexExtractor>();
services.TryAddSingleton<IVexStatementExtractor, SpdxVexExtractor>();
services.TryAddSingleton<IVexConsumer, VexConsumer>();
services.TryAddSingleton<IVexConsumptionReporter, VexConsumptionReporter>();
// Register PURL index (requires Valkey connection)
services.TryAddSingleton<IPurlCanonicalIndex, ValkeyPurlCanonicalIndex>();

6
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/StellaOps.Concelier.SbomIntegration.csproj
View File

@@ -19,6 +19,12 @@
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
<PackageReference Include="Microsoft.Extensions.Options" />
<PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" />
<PackageReference Include="YamlDotNet" />
</ItemGroup>
<ItemGroup>
<EmbeddedResource Include="Resources\spdx-license-list-3.21.json" />
<EmbeddedResource Include="Resources\spdx-license-exceptions-3.21.json" />
</ItemGroup>
<ItemGroup>

37
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/TASKS.md
View File

@@ -9,15 +9,28 @@ Source of truth: `docs-archived/implplan/2025-12-29-csproj-audit/SPRINT_20251229
| AUDIT-0237-M | DONE | Revalidated 2026-01-07. |
| AUDIT-0237-T | DONE | Revalidated 2026-01-07. |
| AUDIT-0237-A | TODO | Revalidated 2026-01-07 (open findings). |
| TASK-015-001 | DOING | ParsedSbom model scaffolding. |
| TASK-015-002 | DOING | ParsedService model scaffolding. |
| TASK-015-003 | DOING | ParsedCryptoProperties model scaffolding. |
| TASK-015-004 | DOING | ParsedModelCard model scaffolding. |
| TASK-015-005 | DOING | CycloneDX formulation parsing + tests added; SPDX build parsing added. |
| TASK-015-006 | DOING | ParsedVulnerability/VEX model scaffolding. |
| TASK-015-007 | DOING | ParsedLicense model scaffolding. |
| TASK-015-007a | DOING | CycloneDX license extraction expansion. |
| TASK-015-007b | DOING | SPDX licensing profile extraction expansion. |
| TASK-015-008 | DOING | CycloneDX extraction now covers formulation; tests updated. |
| TASK-015-009 | DOING | ParsedSbomParser SPDX 3.0.1 extraction baseline + build profile. |
| TASK-015-010 | DOING | ParsedSbom adapter + framework reference added; Artifact.Infrastructure build errors block tests. |
| TASK-015-001 | DONE | ParsedSbom model covers CycloneDX/SPDX concepts with immutable collections. |
| TASK-015-002 | DONE | ParsedService + ParsedDataFlow model covers nested services and flows. |
| TASK-015-003 | DONE | ParsedCryptoProperties model covers algorithm/certificate/protocol details. |
| TASK-015-004 | DONE | ParsedModelCard model covers AI profile inputs, metrics, and considerations. |
| TASK-015-005 | DONE | ParsedFormulation + ParsedBuildInfo modeled and parsed for CycloneDX/SPDX. |
| TASK-015-006 | DONE | ParsedVulnerability/VEX parsing (CycloneDX + SPDX) complete. |
| TASK-015-007 | DONE | ParsedLicense model with AST expressions and terms. |
| TASK-015-007a | DONE | CycloneDX license extraction covers expressions, terms, and text. |
| TASK-015-007b | DONE | SPDX licensing profile extraction expansion. |
| TASK-015-007c | DONE | SPDX license expression validator + embedded license lists. |
| TASK-015-007d | DONE | Added license query contract + inventory summary types. |
| TASK-015-008 | DONE | CycloneDX extraction now covers compositions, annotations, declarations/definitions, signature, and swid; tests updated. |
| TASK-015-009 | DONE | SPDX 3.0.1 extraction now covers AI/dataset/file/snippet/sbomType; tests updated. |
| TASK-015-010 | DONE | CycloneDxExtractor now exposes ParsedSbom extraction while preserving legacy metadata API. |
| TASK-015-011 | DONE | ISbomRepository contract added for enriched SBOM storage. |
| TASK-020-001 | DONE | VEX consumption interfaces and models established. |
| TASK-020-002 | DONE | CycloneDX VEX extractor maps vulnerabilities to statements. |
| TASK-020-003 | DONE | SPDX VEX extractor maps Security profile assessments. |
| TASK-020-004 | DONE | Trust evaluator enforces signer/timestamp rules. |
| TASK-020-005 | DONE | Conflict resolver implements resolution strategies. |
| TASK-020-006 | DONE | VEX merger supports union/intersection/priority modes. |
| TASK-020-007 | DONE | VEX consumption policy defaults + loader added. |
| TASK-020-008 | DONE | SbomAdvisoryMatcher filters NotAffected VEX entries. |
| TASK-020-009 | DONE | VEX pipeline integrated with matcher and policy options. |
| TASK-020-010 | DONE | VEX consumption reporter outputs JSON/SARIF/text. |

17
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/IVexConsumer.cs Normal file
View File

@@ -0,0 +1,17 @@
using StellaOps.Concelier.SbomIntegration.Models;
namespace StellaOps.Concelier.SbomIntegration.Vex;
public interface IVexConsumer
{
Task<VexConsumptionResult> ConsumeAsync(
IReadOnlyList<ParsedVulnerability> sbomVulnerabilities,
VexConsumptionPolicy policy,
CancellationToken ct = default);
Task<MergedVulnerabilityStatus> MergeWithExternalVexAsync(
IReadOnlyList<ParsedVulnerability> sbomVex,
IReadOnlyList<VexStatement> externalVex,
VexMergePolicy mergePolicy,
CancellationToken ct = default);
}

90
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs Normal file
View File

@@ -0,0 +1,90 @@
using System.Collections.Immutable;
namespace StellaOps.Concelier.SbomIntegration.Vex;
public interface IVexConflictResolver
{
VexConflictResolution Resolve(
string vulnerabilityId,
IReadOnlyList<VexStatement> statements,
VexConflictResolutionStrategy strategy);
}
public sealed class VexConflictResolver : IVexConflictResolver
{
public VexConflictResolution Resolve(
string vulnerabilityId,
IReadOnlyList<VexStatement> statements,
VexConflictResolutionStrategy strategy)
{
if (statements.Count == 0)
{
return new VexConflictResolution
{
VulnerabilityId = vulnerabilityId,
Strategy = strategy,
Candidates = []
};
}
var orderedCandidates = statements
.OrderBy(s => s.Status)
.ThenBy(s => s.Source)
.ThenBy(s => s.VulnerabilityId, StringComparer.OrdinalIgnoreCase)
.ToImmutableArray();
var selected = strategy switch
{
VexConflictResolutionStrategy.HighestTrust => SelectByTrust(statements),
VexConflictResolutionStrategy.ProducerWins => SelectByProducer(statements),
VexConflictResolutionStrategy.MostSpecific => SelectBySpecificity(statements),
_ => SelectByTimestamp(statements)
};
return new VexConflictResolution
{
VulnerabilityId = vulnerabilityId,
Strategy = strategy,
Candidates = orderedCandidates,
Selected = selected
};
}
private static VexStatement SelectByTrust(IEnumerable<VexStatement> statements)
{
return statements
.OrderByDescending(statement => statement.TrustLevel.ToRank())
.ThenByDescending(statement => statement.Timestamp ?? DateTimeOffset.MinValue)
.First();
}
private static VexStatement SelectByProducer(IEnumerable<VexStatement> statements)
{
var producer = statements
.Where(statement => statement.IsProducerStatement || statement.Source == VexSource.SbomEmbedded)
.OrderByDescending(statement => statement.TrustLevel.ToRank())
.ThenByDescending(statement => statement.Timestamp ?? DateTimeOffset.MinValue)
.FirstOrDefault();
return producer ?? SelectByTrust(statements);
}
private static VexStatement SelectBySpecificity(IEnumerable<VexStatement> statements)
{
return statements
.OrderBy(statement => statement.AffectedComponents.IsDefaultOrEmpty
? int.MaxValue
: statement.AffectedComponents.Length)
.ThenByDescending(statement => statement.TrustLevel.ToRank())
.ThenByDescending(statement => statement.Timestamp ?? DateTimeOffset.MinValue)
.First();
}
private static VexStatement SelectByTimestamp(IEnumerable<VexStatement> statements)
{
return statements
.OrderByDescending(statement => statement.Timestamp ?? DateTimeOffset.MinValue)
.ThenByDescending(statement => statement.TrustLevel.ToRank())
.First();
}
}

182
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumer.cs Normal file
View File

@@ -0,0 +1,182 @@
using System.Collections.Immutable;
using StellaOps.Concelier.SbomIntegration.Models;
namespace StellaOps.Concelier.SbomIntegration.Vex;
public sealed class VexConsumer : IVexConsumer
{
private readonly IVexTrustEvaluator _trustEvaluator;
private readonly IVexMerger _merger;
private readonly IReadOnlyList<IVexStatementExtractor> _extractors;
public VexConsumer(
IVexTrustEvaluator trustEvaluator,
IVexMerger merger,
IEnumerable<IVexStatementExtractor> extractors)
{
_trustEvaluator = trustEvaluator ?? throw new ArgumentNullException(nameof(trustEvaluator));
_merger = merger ?? throw new ArgumentNullException(nameof(merger));
_extractors = extractors?.ToList() ?? throw new ArgumentNullException(nameof(extractors));
}
public Task<VexConsumptionResult> ConsumeAsync(
IReadOnlyList<ParsedVulnerability> sbomVulnerabilities,
VexConsumptionPolicy policy,
CancellationToken ct = default)
{
ArgumentNullException.ThrowIfNull(sbomVulnerabilities);
ArgumentNullException.ThrowIfNull(policy);
var statements = VexStatementMapper.Map(sbomVulnerabilities, VexSource.SbomEmbedded);
return Task.FromResult(EvaluateStatements(statements, policy));
}
public Task<MergedVulnerabilityStatus> MergeWithExternalVexAsync(
IReadOnlyList<ParsedVulnerability> sbomVex,
IReadOnlyList<VexStatement> externalVex,
VexMergePolicy mergePolicy,
CancellationToken ct = default)
{
ArgumentNullException.ThrowIfNull(sbomVex);
ArgumentNullException.ThrowIfNull(externalVex);
ArgumentNullException.ThrowIfNull(mergePolicy);
var embeddedStatements = VexStatementMapper.Map(sbomVex, VexSource.SbomEmbedded)
.Select(statement => statement with
{
TrustLevel = _trustEvaluator.Evaluate(statement, VexConsumptionPolicyDefaults.Default).TrustLevel
})
.ToList();
var externalStatements = externalVex
.Select(statement => statement with
{
TrustLevel = _trustEvaluator.Evaluate(statement, VexConsumptionPolicyDefaults.Default).TrustLevel
})
.ToList();
var merged = _merger.Merge(
embeddedStatements,
externalStatements,
mergePolicy,
mergePolicy.ConflictStrategy);
return Task.FromResult(merged);
}
public Task<VexConsumptionResult> ConsumeFromSbomAsync(
ParsedSbom sbom,
VexConsumptionPolicy policy,
CancellationToken ct = default)
{
ArgumentNullException.ThrowIfNull(sbom);
ArgumentNullException.ThrowIfNull(policy);
var extractor = _extractors.FirstOrDefault(x => x.CanHandle(sbom));
var statements = extractor is null
? VexStatementMapper.Map(sbom.Vulnerabilities, VexSource.SbomEmbedded)
: extractor.Extract(sbom);
return Task.FromResult(EvaluateStatements(statements, policy));
}
private VexConsumptionResult EvaluateStatements(
IReadOnlyList<VexStatement> statements,
VexConsumptionPolicy policy)
{
var warnings = new List<VexConsumptionWarning>();
var consumed = new List<ConsumedVexStatement>();
foreach (var statement in statements)
{
var evaluation = _trustEvaluator.Evaluate(statement, policy);
warnings.AddRange(evaluation.Warnings);
var trust = evaluation.TrustLevel;
if (statement.Status == VexStatus.NotAffected)
{
if (policy.JustificationRequirements.RequireJustificationForNotAffected
&& !IsAcceptedJustification(statement.Justification, policy.JustificationRequirements.AcceptedJustifications))
{
trust = VexTrustLevel.Untrusted;
warnings.Add(BuildWarning(
"vex.justification.missing",
"NotAffected VEX statement lacks an accepted justification.",
statement));
}
}
if (trust.ToRank() < policy.MinimumTrustLevel.ToRank())
{
warnings.Add(BuildWarning(
"vex.trust.too_low",
"VEX statement trust level is below the minimum policy threshold.",
statement));
continue;
}
consumed.Add(new ConsumedVexStatement
{
VulnerabilityId = statement.VulnerabilityId,
Status = statement.Status,
Justification = statement.Justification,
ActionStatement = statement.ActionStatement,
AffectedComponents = statement.AffectedComponents,
Timestamp = statement.Timestamp,
Source = statement.Source,
TrustLevel = trust
});
}
var overallTrust = consumed.Count == 0
? VexTrustLevel.Untrusted
: consumed.OrderBy(item => item.TrustLevel.ToRank()).First().TrustLevel;
return new VexConsumptionResult
{
Statements = consumed.ToImmutableArray(),
Warnings = warnings.ToImmutableArray(),
OverallTrustLevel = overallTrust
};
}
private static bool IsAcceptedJustification(
VexJustification? justification,
ImmutableArray<string> accepted)
{
if (accepted.IsDefaultOrEmpty)
{
return true;
}
if (justification is null)
{
return false;
}
var normalized = NormalizeToken(justification.Value.ToString());
return accepted.Any(value => NormalizeToken(value) == normalized);
}
private static string NormalizeToken(string value)
{
var normalized = new string(value
.Where(ch => ch != '_' && ch != '-' && !char.IsWhiteSpace(ch))
.ToArray());
return normalized.ToLowerInvariant();
}
private static VexConsumptionWarning BuildWarning(
string code,
string message,
VexStatement statement)
{
return new VexConsumptionWarning
{
Code = code,
Message = message,
VulnerabilityId = statement.VulnerabilityId,
Source = statement.Source
};
}
}

110
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionModels.cs Normal file
View File

@@ -0,0 +1,110 @@
using System.Collections.Immutable;
using StellaOps.Concelier.SbomIntegration.Models;
namespace StellaOps.Concelier.SbomIntegration.Vex;
public sealed record VexConsumptionResult
{
public ImmutableArray<ConsumedVexStatement> Statements { get; init; } = [];
public ImmutableArray<VexConsumptionWarning> Warnings { get; init; } = [];
public VexTrustLevel OverallTrustLevel { get; init; } = VexTrustLevel.Untrusted;
}
public sealed record ConsumedVexStatement
{
public required string VulnerabilityId { get; init; }
public required VexStatus Status { get; init; }
public VexJustification? Justification { get; init; }
public string? ActionStatement { get; init; }
public ImmutableArray<string> AffectedComponents { get; init; } = [];
public DateTimeOffset? Timestamp { get; init; }
public VexSource Source { get; init; }
public VexTrustLevel TrustLevel { get; init; }
}
public sealed record VexStatement
{
public required string VulnerabilityId { get; init; }
public required VexStatus Status { get; init; }
public VexJustification? Justification { get; init; }
public string? ActionStatement { get; init; }
public ImmutableArray<string> AffectedComponents { get; init; } = [];
public DateTimeOffset? Timestamp { get; init; }
public VexSource Source { get; init; }
public VexTrustLevel TrustLevel { get; init; } = VexTrustLevel.Unverified;
public string? Issuer { get; init; }
public string? DocumentId { get; init; }
public bool IsProducerStatement { get; init; }
}
public sealed record VexConsumptionWarning
{
public required string Code { get; init; }
public required string Message { get; init; }
public string? VulnerabilityId { get; init; }
public VexSource? Source { get; init; }
}
public sealed record VexAwareMatchResult
{
public required string VulnerabilityId { get; init; }
public required string ComponentPurl { get; init; }
public VexStatus? VexStatus { get; init; }
public VexJustification? Justification { get; init; }
public VexSource? VexSource { get; init; }
public bool FilteredByVex { get; init; }
}
public sealed record MergedVulnerabilityStatus
{
public ImmutableArray<VexStatement> Statements { get; init; } = [];
public ImmutableArray<VexConflictResolution> Conflicts { get; init; } = [];
}
public sealed record VexConflictResolution
{
public required string VulnerabilityId { get; init; }
public required VexConflictResolutionStrategy Strategy { get; init; }
public ImmutableArray<VexStatement> Candidates { get; init; } = [];
public VexStatement? Selected { get; init; }
public string? Notes { get; init; }
}
public enum VexStatus
{
NotAffected,
Affected,
Fixed,
UnderInvestigation
}
public enum VexSource
{
SbomEmbedded,
External,
Merged
}
public enum VexTrustLevel
{
Verified,
Trusted,
Unverified,
Untrusted
}
public enum VexConflictResolutionStrategy
{
MostRecent,
HighestTrust,
ProducerWins,
MostSpecific
}
public enum VexMergeMode
{
Union,
Intersection,
ExternalPriority,
EmbeddedPriority
}

12
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs Normal file
View File

@@ -0,0 +1,12 @@
namespace StellaOps.Concelier.SbomIntegration.Vex;
public sealed class VexConsumptionOptions
{
public bool Enabled { get; set; } = true;
public bool IgnoreVex { get; set; }
public string? PolicyPath { get; set; }
public bool? TrustEmbeddedVex { get; set; }
public VexTrustLevel? MinimumTrustLevel { get; set; }
public bool? FilterNotAffected { get; set; }
public string[]? ExternalVexSources { get; set; }
}

93
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicy.cs Normal file
View File

@@ -0,0 +1,93 @@
using System.Collections.Immutable;
namespace StellaOps.Concelier.SbomIntegration.Vex;
public sealed record VexConsumptionPolicy
{
public bool TrustEmbeddedVex { get; init; } = true;
public VexTrustLevel MinimumTrustLevel { get; init; } = VexTrustLevel.Unverified;
public bool FilterNotAffected { get; init; } = true;
public SignatureRequirements SignatureRequirements { get; init; } = new();
public TimestampRequirements TimestampRequirements { get; init; } = new();
public ConflictResolutionPolicy ConflictResolution { get; init; } = new();
public VexMergePolicy MergePolicy { get; init; } = new();
public JustificationRequirements JustificationRequirements { get; init; } = new();
}
public sealed record SignatureRequirements
{
public bool RequireSignedVex { get; init; }
public ImmutableArray<string> TrustedSigners { get; init; } = [];
}
public sealed record TimestampRequirements
{
public int MaxAgeHours { get; init; } = 720;
public bool RequireTimestamp { get; init; } = true;
}
public sealed record ConflictResolutionPolicy
{
public VexConflictResolutionStrategy Strategy { get; init; } = VexConflictResolutionStrategy.MostRecent;
public bool LogConflicts { get; init; } = true;
}
public sealed record VexMergePolicy
{
public VexMergeMode Mode { get; init; } = VexMergeMode.Union;
public ImmutableArray<VexExternalSource> ExternalSources { get; init; } = [];
public VexConflictResolutionStrategy ConflictStrategy { get; init; } = VexConflictResolutionStrategy.MostRecent;
}
public sealed record VexExternalSource
{
public required string Type { get; init; }
public required string Url { get; init; }
}
public sealed record JustificationRequirements
{
public bool RequireJustificationForNotAffected { get; init; } = true;
public ImmutableArray<string> AcceptedJustifications { get; init; } = [];
}
public static class VexConsumptionPolicyDefaults
{
public static VexConsumptionPolicy Default { get; } = new()
{
TrustEmbeddedVex = true,
MinimumTrustLevel = VexTrustLevel.Unverified,
FilterNotAffected = true,
SignatureRequirements = new SignatureRequirements
{
RequireSignedVex = false,
TrustedSigners = []
},
TimestampRequirements = new TimestampRequirements
{
MaxAgeHours = 720,
RequireTimestamp = true
},
ConflictResolution = new ConflictResolutionPolicy
{
Strategy = VexConflictResolutionStrategy.MostRecent,
LogConflicts = true
},
MergePolicy = new VexMergePolicy
{
Mode = VexMergeMode.Union,
ExternalSources = [],
ConflictStrategy = VexConflictResolutionStrategy.MostRecent
},
JustificationRequirements = new JustificationRequirements
{
RequireJustificationForNotAffected = true,
AcceptedJustifications = [
"component_not_present",
"vulnerable_code_not_present",
"vulnerable_code_not_in_execute_path",
"inline_mitigations_already_exist"
]
}
};
}

81
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs Normal file
View File

@@ -0,0 +1,81 @@
using System.Text;
using System.Text.Json;
using System.Text.Json.Serialization;
using YamlDotNet.Serialization;
using YamlDotNet.Serialization.NamingConventions;
namespace StellaOps.Concelier.SbomIntegration.Vex;
public interface IVexConsumptionPolicyLoader
{
Task<VexConsumptionPolicy> LoadAsync(string? path, CancellationToken ct = default);
}
public sealed class VexConsumptionPolicyLoader : IVexConsumptionPolicyLoader
{
private static readonly JsonSerializerOptions JsonOptions = CreateJsonOptions();
private readonly IDeserializer _yamlDeserializer = new DeserializerBuilder()
.WithNamingConvention(CamelCaseNamingConvention.Instance)
.Build();
public async Task<VexConsumptionPolicy> LoadAsync(string? path, CancellationToken ct = default)
{
if (string.IsNullOrWhiteSpace(path) || !File.Exists(path))
{
return VexConsumptionPolicyDefaults.Default;
}
var extension = Path.GetExtension(path).ToLowerInvariant();
await using var stream = File.OpenRead(path);
return extension switch
{
".yaml" or ".yml" => LoadFromYaml(stream),
_ => await LoadFromJsonAsync(stream, ct).ConfigureAwait(false)
};
}
private VexConsumptionPolicy LoadFromYaml(Stream stream)
{
using var reader = new StreamReader(stream, Encoding.UTF8, leaveOpen: true);
var yamlObject = _yamlDeserializer.Deserialize(reader);
if (yamlObject is null)
{
return VexConsumptionPolicyDefaults.Default;
}
var payload = JsonSerializer.Serialize(yamlObject);
using var document = JsonDocument.Parse(payload);
return ExtractPolicy(document.RootElement);
}
private static async Task<VexConsumptionPolicy> LoadFromJsonAsync(Stream stream, CancellationToken ct)
{
using var document = await JsonDocument.ParseAsync(stream, cancellationToken: ct)
.ConfigureAwait(false);
return ExtractPolicy(document.RootElement);
}
private static VexConsumptionPolicy ExtractPolicy(JsonElement root)
{
if (root.ValueKind == JsonValueKind.Object
&& root.TryGetProperty("vexConsumptionPolicy", out var policyElement))
{
return JsonSerializer.Deserialize<VexConsumptionPolicy>(policyElement, JsonOptions)
?? VexConsumptionPolicyDefaults.Default;
}
return JsonSerializer.Deserialize<VexConsumptionPolicy>(root, JsonOptions)
?? VexConsumptionPolicyDefaults.Default;
}
private static JsonSerializerOptions CreateJsonOptions()
{
var options = new JsonSerializerOptions(JsonSerializerDefaults.Web)
{
PropertyNameCaseInsensitive = true
};
options.Converters.Add(new JsonStringEnumConverter(JsonNamingPolicy.CamelCase));
return options;
}
}

167
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs Normal file
View File

@@ -0,0 +1,167 @@
using System.Collections.Immutable;
using System.Text;
using System.Text.Json;
namespace StellaOps.Concelier.SbomIntegration.Vex;
public interface IVexConsumptionReporter
{
string ToJson(VexConsumptionReport report);
string ToText(VexConsumptionReport report);
string ToSarif(VexConsumptionReport report);
}
public sealed record VexConsumptionReport
{
public ImmutableArray<ConsumedVexStatement> Statements { get; init; } = [];
public ImmutableArray<VexConsumptionWarning> Warnings { get; init; } = [];
public ImmutableArray<VexConflictResolution> Conflicts { get; init; } = [];
public ImmutableArray<VexAwareMatchResult> Matches { get; init; } = [];
public VexTrustLevel OverallTrustLevel { get; init; } = VexTrustLevel.Untrusted;
}
public sealed class VexConsumptionReporter : IVexConsumptionReporter
{
private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web)
{
WriteIndented = true
};
public string ToJson(VexConsumptionReport report)
{
ArgumentNullException.ThrowIfNull(report);
var payload = BuildReportPayload(report);
return JsonSerializer.Serialize(payload, JsonOptions);
}
public string ToText(VexConsumptionReport report)
{
ArgumentNullException.ThrowIfNull(report);
var builder = new StringBuilder();
builder.AppendLine("VEX Consumption Report");
builder.AppendLine($"Statements: {report.Statements.Length}");
builder.AppendLine($"Warnings: {report.Warnings.Length}");
builder.AppendLine($"Conflicts: {report.Conflicts.Length}");
builder.AppendLine($"Overall trust: {report.OverallTrustLevel}");
builder.AppendLine();
foreach (var statement in report.Statements
.OrderBy(s => s.VulnerabilityId, StringComparer.OrdinalIgnoreCase))
{
builder.AppendLine($"- {statement.VulnerabilityId}: {statement.Status} ({statement.TrustLevel})");
if (!statement.AffectedComponents.IsDefaultOrEmpty)
{
builder.AppendLine($" Components: {string.Join(", ", statement.AffectedComponents)}");
}
if (!string.IsNullOrWhiteSpace(statement.ActionStatement))
{
builder.AppendLine($" Action: {statement.ActionStatement}");
}
}
if (!report.Warnings.IsDefaultOrEmpty)
{
builder.AppendLine();
builder.AppendLine("Warnings:");
foreach (var warning in report.Warnings)
{
builder.AppendLine($"- {warning.Code}: {warning.Message}");
}
}
return builder.ToString();
}
public string ToSarif(VexConsumptionReport report)
{
ArgumentNullException.ThrowIfNull(report);
var results = report.Statements
.Where(statement => statement.Status != VexStatus.NotAffected)
.OrderBy(statement => statement.VulnerabilityId, StringComparer.OrdinalIgnoreCase)
.Select(statement => new
{
ruleId = $"vex-{statement.Status.ToString().ToLowerInvariant()}",
level = statement.Status == VexStatus.Affected ? "error" : "warning",
message = new
{
text = $"{statement.VulnerabilityId} status: {statement.Status}"
},
properties = new
{
trustLevel = statement.TrustLevel.ToString(),
source = statement.Source.ToString(),
justification = statement.Justification?.ToString(),
action = statement.ActionStatement
}
})
.ToArray();
var sarif = new Dictionary<string, object?>
{
["version"] = "2.1.0",
["$schema"] = "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json",
["runs"] = new[]
{
new
{
tool = new
{
driver = new
{
name = "StellaOps.VexConsumption",
informationUri = "https://stella-ops.org",
version = "1.0"
}
},
results
}
}
};
return JsonSerializer.Serialize(sarif, JsonOptions);
}
private static object BuildReportPayload(VexConsumptionReport report)
{
var trustBreakdown = report.Statements
.GroupBy(statement => statement.TrustLevel)
.OrderBy(group => group.Key.ToRank())
.ToDictionary(group => group.Key.ToString(), group => group.Count());
return new
{
report.OverallTrustLevel,
trustBreakdown,
statements = report.Statements
.OrderBy(statement => statement.VulnerabilityId, StringComparer.OrdinalIgnoreCase)
.ThenBy(statement => statement.Status)
.Select(statement => new
{
statement.VulnerabilityId,
statement.Status,
statement.Justification,
statement.ActionStatement,
statement.AffectedComponents,
statement.Timestamp,
statement.Source,
statement.TrustLevel
}),
matches = report.Matches
.OrderBy(match => match.VulnerabilityId, StringComparer.OrdinalIgnoreCase)
.ThenBy(match => match.ComponentPurl, StringComparer.OrdinalIgnoreCase),
conflicts = report.Conflicts
.OrderBy(conflict => conflict.VulnerabilityId, StringComparer.OrdinalIgnoreCase)
.Select(conflict => new
{
conflict.VulnerabilityId,
conflict.Strategy,
Selected = conflict.Selected?.Status,
conflict.Notes
}),
warnings = report.Warnings
.OrderBy(warning => warning.Code, StringComparer.OrdinalIgnoreCase)
};
}
}

72
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexExtractors.cs Normal file
View File

@@ -0,0 +1,72 @@
using System.Collections.Immutable;
using StellaOps.Concelier.SbomIntegration.Models;
namespace StellaOps.Concelier.SbomIntegration.Vex;
public interface IVexStatementExtractor
{
bool CanHandle(ParsedSbom sbom);
ImmutableArray<VexStatement> Extract(ParsedSbom sbom);
}
public sealed class CycloneDxVexExtractor : IVexStatementExtractor
{
public bool CanHandle(ParsedSbom sbom)
{
return sbom.Format.Equals("CycloneDX", StringComparison.OrdinalIgnoreCase);
}
public ImmutableArray<VexStatement> Extract(ParsedSbom sbom)
{
var map = BuildBomRefLookup(sbom.Components);
return VexStatementMapper.Map(sbom.Vulnerabilities, VexSource.SbomEmbedded, map);
}
private static IReadOnlyDictionary<string, string?> BuildBomRefLookup(
ImmutableArray<ParsedComponent> components)
{
var map = new Dictionary<string, string?>(StringComparer.OrdinalIgnoreCase);
foreach (var component in components)
{
if (string.IsNullOrWhiteSpace(component.BomRef))
{
continue;
}
map.TryAdd(component.BomRef.Trim(), component.Purl);
}
return map;
}
}
public sealed class SpdxVexExtractor : IVexStatementExtractor
{
public bool CanHandle(ParsedSbom sbom)
{
return sbom.Format.Equals("SPDX", StringComparison.OrdinalIgnoreCase);
}
public ImmutableArray<VexStatement> Extract(ParsedSbom sbom)
{
var map = BuildBomRefLookup(sbom.Components);
return VexStatementMapper.Map(sbom.Vulnerabilities, VexSource.SbomEmbedded, map);
}
private static IReadOnlyDictionary<string, string?> BuildBomRefLookup(
ImmutableArray<ParsedComponent> components)
{
var map = new Dictionary<string, string?>(StringComparer.OrdinalIgnoreCase);
foreach (var component in components)
{
if (string.IsNullOrWhiteSpace(component.BomRef))
{
continue;
}
map.TryAdd(component.BomRef.Trim(), component.Purl);
}
return map;
}
}

126
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexMerger.cs Normal file
View File

@@ -0,0 +1,126 @@
using System.Collections.Immutable;
namespace StellaOps.Concelier.SbomIntegration.Vex;
public interface IVexMerger
{
MergedVulnerabilityStatus Merge(
IReadOnlyList<VexStatement> embeddedStatements,
IReadOnlyList<VexStatement> externalStatements,
VexMergePolicy mergePolicy,
VexConflictResolutionStrategy conflictStrategy);
}
public sealed class VexMerger : IVexMerger
{
private readonly IVexConflictResolver _conflictResolver;
public VexMerger(IVexConflictResolver conflictResolver)
{
_conflictResolver = conflictResolver ?? throw new ArgumentNullException(nameof(conflictResolver));
}
public MergedVulnerabilityStatus Merge(
IReadOnlyList<VexStatement> embeddedStatements,
IReadOnlyList<VexStatement> externalStatements,
VexMergePolicy mergePolicy,
VexConflictResolutionStrategy conflictStrategy)
{
var resolved = new List<VexStatement>();
var conflicts = new List<VexConflictResolution>();
var embeddedByVuln = GroupByVulnerability(embeddedStatements);
var externalByVuln = GroupByVulnerability(externalStatements);
var allKeys = embeddedByVuln.Keys.Union(externalByVuln.Keys, StringComparer.OrdinalIgnoreCase);
foreach (var vulnerabilityId in allKeys.OrderBy(key => key, StringComparer.OrdinalIgnoreCase))
{
var embedded = embeddedByVuln.TryGetValue(vulnerabilityId, out var embeddedList)
? embeddedList
: new List<VexStatement>();
var external = externalByVuln.TryGetValue(vulnerabilityId, out var externalList)
? externalList
: new List<VexStatement>();
var candidates = SelectCandidates(mergePolicy.Mode, embedded, external);
if (candidates.Count == 0)
{
continue;
}
var resolution = _conflictResolver.Resolve(vulnerabilityId, candidates, conflictStrategy);
if (HasConflicts(candidates) && resolution.Candidates.Length > 1)
{
conflicts.Add(resolution);
}
if (resolution.Selected is not null)
{
resolved.Add(resolution.Selected);
}
}
return new MergedVulnerabilityStatus
{
Statements = resolved.ToImmutableArray(),
Conflicts = conflicts.ToImmutableArray()
};
}
private static Dictionary<string, List<VexStatement>> GroupByVulnerability(
IReadOnlyList<VexStatement> statements)
{
var map = new Dictionary<string, List<VexStatement>>(StringComparer.OrdinalIgnoreCase);
foreach (var statement in statements)
{
if (string.IsNullOrWhiteSpace(statement.VulnerabilityId))
{
continue;
}
if (!map.TryGetValue(statement.VulnerabilityId, out var list))
{
list = new List<VexStatement>();
map[statement.VulnerabilityId] = list;
}
list.Add(statement);
}
return map;
}
private static IReadOnlyList<VexStatement> SelectCandidates(
VexMergeMode mode,
IReadOnlyList<VexStatement> embedded,
IReadOnlyList<VexStatement> external)
{
return mode switch
{
VexMergeMode.Intersection => embedded.Count > 0 && external.Count > 0
? embedded.Concat(external).ToList()
: new List<VexStatement>(),
VexMergeMode.ExternalPriority => external.Count > 0
? external
: embedded,
VexMergeMode.EmbeddedPriority => embedded.Count > 0
? embedded
: external,
_ => embedded.Concat(external).ToList()
};
}
private static bool HasConflicts(IReadOnlyList<VexStatement> statements)
{
if (statements.Count <= 1)
{
return false;
}
var distinct = statements
.Select(statement => statement.Status)
.Distinct()
.Count();
return distinct > 1;
}
}

132
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexStatementMapper.cs Normal file
View File

@@ -0,0 +1,132 @@
using System.Collections.Immutable;
using StellaOps.Concelier.SbomIntegration.Models;
namespace StellaOps.Concelier.SbomIntegration.Vex;
internal static class VexStatementMapper
{
public static ImmutableArray<VexStatement> Map(
IReadOnlyList<ParsedVulnerability> vulnerabilities,
VexSource source,
IReadOnlyDictionary<string, string?>? bomRefToPurl = null)
{
if (vulnerabilities.Count == 0)
{
return [];
}
var builder = ImmutableArray.CreateBuilder<VexStatement>();
foreach (var vulnerability in vulnerabilities)
{
if (vulnerability.Analysis is null)
{
continue;
}
var status = MapStatus(vulnerability.Analysis.State);
if (status is null)
{
continue;
}
var affected = BuildAffectedComponents(vulnerability.Affects, bomRefToPurl);
var timestamp = vulnerability.Analysis.LastUpdated
?? vulnerability.Analysis.FirstIssued
?? vulnerability.Updated
?? vulnerability.Published;
var actionStatement = BuildActionStatement(vulnerability.Analysis);
builder.Add(new VexStatement
{
VulnerabilityId = vulnerability.Id,
Status = status.Value,
Justification = vulnerability.Analysis.Justification,
ActionStatement = actionStatement,
AffectedComponents = affected,
Timestamp = timestamp,
Source = source
});
}
return builder.ToImmutable();
}
private static VexStatus? MapStatus(VexState state)
{
return state switch
{
VexState.NotAffected => VexStatus.NotAffected,
VexState.Fixed => VexStatus.Fixed,
VexState.Exploitable => VexStatus.Affected,
VexState.FalsePositive => VexStatus.NotAffected,
VexState.InTriage => VexStatus.UnderInvestigation,
VexState.UnderInvestigation => VexStatus.UnderInvestigation,
_ => null
};
}
private static ImmutableArray<string> BuildAffectedComponents(
ImmutableArray<ParsedVulnAffects> affects,
IReadOnlyDictionary<string, string?>? bomRefToPurl)
{
if (affects.IsDefaultOrEmpty)
{
return [];
}
var components = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
foreach (var entry in affects)
{
var reference = entry.Ref?.Trim();
if (!string.IsNullOrWhiteSpace(reference))
{
if (bomRefToPurl is not null
&& bomRefToPurl.TryGetValue(reference, out var purl)
&& !string.IsNullOrWhiteSpace(purl))
{
components.Add(purl.Trim());
}
else
{
components.Add(reference);
}
continue;
}
if (!string.IsNullOrWhiteSpace(entry.Version))
{
components.Add(entry.Version.Trim());
}
}
return components
.OrderBy(value => value, StringComparer.OrdinalIgnoreCase)
.ToImmutableArray();
}
private static string? BuildActionStatement(ParsedVulnAnalysis analysis)
{
if (analysis.Response.IsDefaultOrEmpty && string.IsNullOrWhiteSpace(analysis.Detail))
{
return null;
}
var responseText = analysis.Response.IsDefaultOrEmpty
? null
: string.Join(", ", analysis.Response.Where(value => !string.IsNullOrWhiteSpace(value)));
if (string.IsNullOrWhiteSpace(responseText))
{
return analysis.Detail;
}
if (string.IsNullOrWhiteSpace(analysis.Detail))
{
return responseText;
}
return $"{responseText}. {analysis.Detail}";
}
}

129
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexTrustEvaluator.cs Normal file
View File

@@ -0,0 +1,129 @@
using System.Collections.Immutable;
namespace StellaOps.Concelier.SbomIntegration.Vex;
public interface IVexTrustEvaluator
{
VexTrustEvaluation Evaluate(VexStatement statement, VexConsumptionPolicy policy);
}
public sealed record VexTrustEvaluation
{
public required VexTrustLevel TrustLevel { get; init; }
public ImmutableArray<VexConsumptionWarning> Warnings { get; init; } = [];
}
public sealed class VexTrustEvaluator : IVexTrustEvaluator
{
private readonly TimeProvider _timeProvider;
public VexTrustEvaluator(TimeProvider? timeProvider = null)
{
_timeProvider = timeProvider ?? TimeProvider.System;
}
public VexTrustEvaluation Evaluate(VexStatement statement, VexConsumptionPolicy policy)
{
var warnings = new List<VexConsumptionWarning>();
var trustLevel = DetermineBaseTrust(statement);
if (statement.Source == VexSource.SbomEmbedded && !policy.TrustEmbeddedVex)
{
trustLevel = VexTrustLevel.Untrusted;
warnings.Add(BuildWarning(
"vex.trust.embedded.disabled",
"Embedded VEX is not trusted by policy.",
statement));
}
if (policy.SignatureRequirements.RequireSignedVex && string.IsNullOrWhiteSpace(statement.Issuer))
{
trustLevel = VexTrustLevel.Untrusted;
warnings.Add(BuildWarning(
"vex.signature.missing",
"VEX statement is missing a signature or issuer.",
statement));
}
if (!policy.SignatureRequirements.TrustedSigners.IsDefaultOrEmpty
&& !string.IsNullOrWhiteSpace(statement.Issuer))
{
var trusted = policy.SignatureRequirements.TrustedSigners
.Any(signer => string.Equals(signer, statement.Issuer, StringComparison.OrdinalIgnoreCase));
if (!trusted)
{
trustLevel = LowerTrust(trustLevel, VexTrustLevel.Unverified);
warnings.Add(BuildWarning(
"vex.signature.untrusted",
"VEX statement issuer is not in the trusted signer list.",
statement));
}
else
{
trustLevel = RaiseTrust(trustLevel, VexTrustLevel.Verified);
}
}
if (policy.TimestampRequirements.RequireTimestamp && statement.Timestamp is null)
{
trustLevel = VexTrustLevel.Untrusted;
warnings.Add(BuildWarning(
"vex.timestamp.missing",
"VEX statement is missing a timestamp.",
statement));
}
else if (statement.Timestamp is not null)
{
var maxAge = TimeSpan.FromHours(policy.TimestampRequirements.MaxAgeHours);
var age = _timeProvider.GetUtcNow() - statement.Timestamp.Value;
if (age > maxAge)
{
trustLevel = VexTrustLevel.Untrusted;
warnings.Add(BuildWarning(
"vex.timestamp.stale",
$"VEX statement timestamp exceeds policy max age ({policy.TimestampRequirements.MaxAgeHours}h).",
statement));
}
}
return new VexTrustEvaluation
{
TrustLevel = trustLevel,
Warnings = warnings.ToImmutableArray()
};
}
private static VexTrustLevel DetermineBaseTrust(VexStatement statement)
{
if (statement.IsProducerStatement || statement.Source == VexSource.SbomEmbedded)
{
return VexTrustLevel.Trusted;
}
return VexTrustLevel.Unverified;
}
private static VexTrustLevel RaiseTrust(VexTrustLevel current, VexTrustLevel target)
{
return current.ToRank() >= target.ToRank() ? current : target;
}
private static VexTrustLevel LowerTrust(VexTrustLevel current, VexTrustLevel target)
{
return current.ToRank() <= target.ToRank() ? current : target;
}
private static VexConsumptionWarning BuildWarning(
string code,
string message,
VexStatement statement)
{
return new VexConsumptionWarning
{
Code = code,
Message = message,
VulnerabilityId = statement.VulnerabilityId,
Source = statement.Source
};
}
}

15
src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexTrustLevelExtensions.cs Normal file
View File

@@ -0,0 +1,15 @@
namespace StellaOps.Concelier.SbomIntegration.Vex;
internal static class VexTrustLevelExtensions
{
public static int ToRank(this VexTrustLevel level)
{
return level switch
{
VexTrustLevel.Verified => 3,
VexTrustLevel.Trusted => 2,
VexTrustLevel.Unverified => 1,
_ => 0
};
}
}