stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

todays product advirories implemented

Browse Source
This commit is contained in:
master
2026-01-16 23:30:47 +02:00
parent 91ba600722
commit 77ff029205
174 changed files with 30173 additions and 1383 deletions
Download Patch File Download Diff File Expand all files Collapse all files

216
docs/FEATURE_MATRIX.md
View File

@@ -1,5 +1,5 @@
# Feature Matrix — Stella Ops Suite
*(rev 5.0 · 09 Jan 2026)*
*(rev 5.1 · 16 Jan 2026)*
> **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.
@@ -145,6 +145,9 @@
|------------|:----:|:---------:|:----------:|-------|
| CVE Lookup via Local DB | | | | |
| Licence-Risk Detection | | | | Q4-2025 |
| **Automatic Detection (Class A)** | | | | Runs implicitly during scan |
| Secrets Detection | | | | API keys, tokens, passwords; results in findings (see [docs/modules/ui/components/findings-list.md](docs/modules/ui/components/findings-list.md)) |
| OS Package Analyzers | | | | apk, apt, yum, dnf, rpm, pacman; results in SBOM (see [docs/modules/cli/guides/commands/sbom.md](docs/modules/cli/guides/commands/sbom.md)) |
| **Language Analyzers (All 11)** | | | | |
| .NET/C#, Java, Go, Python | | | | |
| Node.js, Ruby, Bun, Deno | | | | |
@@ -179,6 +182,8 @@
## Binary Analysis (BinaryIndex)
*Binary analysis capabilities are CLI-first (Class B). UI integration is minimal until user demand validates.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Binary Identity Extraction | | | | Build-ID, hashes |
@@ -187,58 +192,156 @@
| RPM/RHEL Corpus | | | | |
| Patch-Aware Backport Detection | | | | |
| PE/Mach-O/ELF Parsers | | | | |
| **Binary Fingerprint Generation** | | | | Advanced detection |
| **Binary Fingerprint Generation** | | | | CLI: `stella binary fingerprint export` |
| **Fingerprint Matching Engine** | | | | Similarity search |
| **Binary Diff** | | | | CLI: `stella binary diff <base> <candidate>` |
| **DWARF/Symbol Analysis** | | | | Debug symbols |
**CLI Commands (Class B):**
- `stella binary fingerprint export <artifact>` Export fingerprint data (function hashes, section hashes, symbol table)
- `stella binary diff <base> <candidate>` Compare binaries with function/symbol-level diff
- Output formats: `--format json|yaml|table`
- Usage and examples: [docs/modules/cli/guides/commands/binary.md](docs/modules/cli/guides/commands/binary.md)
---
## Advisory Sources (Concelier)
| Source | Free | Community | Enterprise | Notes |
|--------|:----:|:---------:|:----------:|-------|
| NVD | | | | |
| GHSA | | | | |
| OSV | | | | |
| Alpine SecDB | | | | |
| Debian Security Tracker | | | | |
| Ubuntu USN | | | | |
| RHEL/CentOS OVAL | | | | |
| KEV (Exploited Vulns) | | | | |
| EPSS v4 | | | | |
| **Custom Advisory Connectors** | | | | Private feeds |
| **Advisory Merge Engine** | | | | Conflict resolution |
*Concelier provides 33+ vulnerability feed connectors with automatic sync, health monitoring, and conflict detection.*
| Source Category | Connectors | Free | Community | Enterprise | Notes |
|-----------------|-----------|:----:|:---------:|:----------:|-------|
| **National CVE Databases** | | | | | |
| NVD (NIST) | | | | | Primary CVE source |
| CVE (MITRE) | | | | | CVE Record format 5.0 |
| **OSS Ecosystems** | | | | | |
| OSV | | | | | Multi-ecosystem |
| GHSA | | | | | GitHub Security Advisories |
| **Linux Distributions** | | | | | |
| Alpine SecDB | | | | | |
| Debian Security Tracker | | | | | |
| Ubuntu USN | | | | | |
| RHEL/CentOS OVAL | | | | | |
| SUSE OVAL | | | | | |
| Astra Linux | | | | | Russian distro |
| **CERTs / National CSIRTs** | | | | | |
| CISA KEV | | | | | Known Exploited Vulns |
| CISA ICS-CERT | | | | | Industrial control systems |
| CERT-CC | | | | | Carnegie Mellon |
| CERT-FR | | | | | France |
| CERT-Bund (BSI) | | | | | Germany |
| CERT-In | | | | | India |
| ACSC | | | | | Australia |
| CCCS | | | | | Canada |
| KISA | | | | | South Korea |
| JVN | | | | | Japan |
| **Russian Federation Sources** | | | | | |
| FSTEC BDU | | | | | Russian vuln database |
| NKCKI | | | | | Critical infrastructure |
| **Vendor PSIRTs** | | | | | |
| Microsoft MSRC | | | | | |
| Cisco PSIRT | | | | | |
| Oracle CPU | | | | | |
| VMware | | | | | |
| Adobe PSIRT | | | | | |
| Apple Security | | | | | |
| Chromium | | | | | |
| **ICS/SCADA** | | | | | |
| Kaspersky ICS-CERT | | | | | Industrial security |
| **Risk Scoring** | | | | | |
| EPSS v4 | | | | | Exploit prediction |
| **Enterprise Features** | | | | | |
| Custom Advisory Connectors | | | | | Private feeds |
| Advisory Merge Engine | | | | | Conflict resolution |
| Connector Health CLI | | | | | `stella db connectors status` |
**Connector Operations Matrix (Status/Auth/Runbooks):**
| Connector | Status | Auth | Ops Runbook |
| --- | --- | --- | --- |
| NVD (NIST) | stable | api-key | [docs/modules/concelier/operations/connectors/nvd.md](docs/modules/concelier/operations/connectors/nvd.md) |
| CVE (MITRE) | stable | none | [docs/modules/concelier/operations/connectors/cve.md](docs/modules/concelier/operations/connectors/cve.md) |
| OSV | stable | none | [docs/modules/concelier/operations/connectors/osv.md](docs/modules/concelier/operations/connectors/osv.md) |
| GHSA | stable | api-token | [docs/modules/concelier/operations/connectors/ghsa.md](docs/modules/concelier/operations/connectors/ghsa.md) |
| Alpine SecDB | stable | none | [docs/modules/concelier/operations/connectors/alpine.md](docs/modules/concelier/operations/connectors/alpine.md) |
| Debian Security Tracker | stable | none | [docs/modules/concelier/operations/connectors/debian.md](docs/modules/concelier/operations/connectors/debian.md) |
| Ubuntu USN | stable | none | [docs/modules/concelier/operations/connectors/ubuntu.md](docs/modules/concelier/operations/connectors/ubuntu.md) |
| Red Hat OVAL/CSAF | stable | none | [docs/modules/concelier/operations/connectors/redhat.md](docs/modules/concelier/operations/connectors/redhat.md) |
| SUSE OVAL/CSAF | stable | none | [docs/modules/concelier/operations/connectors/suse.md](docs/modules/concelier/operations/connectors/suse.md) |
| Astra Linux | beta | none | [docs/modules/concelier/operations/connectors/astra.md](docs/modules/concelier/operations/connectors/astra.md) |
| CISA KEV | stable | none | [docs/modules/concelier/operations/connectors/cve-kev.md](docs/modules/concelier/operations/connectors/cve-kev.md) |
| CISA ICS-CERT | stable | none | [docs/modules/concelier/operations/connectors/ics-cisa.md](docs/modules/concelier/operations/connectors/ics-cisa.md) |
| CERT-CC | stable | none | [docs/modules/concelier/operations/connectors/cert-cc.md](docs/modules/concelier/operations/connectors/cert-cc.md) |
| CERT-FR | stable | none | [docs/modules/concelier/operations/connectors/cert-fr.md](docs/modules/concelier/operations/connectors/cert-fr.md) |
| CERT-Bund | stable | none | [docs/modules/concelier/operations/connectors/certbund.md](docs/modules/concelier/operations/connectors/certbund.md) |
| CERT-In | stable | none | [docs/modules/concelier/operations/connectors/cert-in.md](docs/modules/concelier/operations/connectors/cert-in.md) |
| ACSC | stable | none | [docs/modules/concelier/operations/connectors/acsc.md](docs/modules/concelier/operations/connectors/acsc.md) |
| CCCS | stable | none | [docs/modules/concelier/operations/connectors/cccs.md](docs/modules/concelier/operations/connectors/cccs.md) |
| KISA | stable | none | [docs/modules/concelier/operations/connectors/kisa.md](docs/modules/concelier/operations/connectors/kisa.md) |
| JVN | stable | none | [docs/modules/concelier/operations/connectors/jvn.md](docs/modules/concelier/operations/connectors/jvn.md) |
| FSTEC BDU | beta | none | [docs/modules/concelier/operations/connectors/fstec-bdu.md](docs/modules/concelier/operations/connectors/fstec-bdu.md) |
| NKCKI | beta | none | [docs/modules/concelier/operations/connectors/nkcki.md](docs/modules/concelier/operations/connectors/nkcki.md) |
| Microsoft MSRC | stable | none | [docs/modules/concelier/operations/connectors/msrc.md](docs/modules/concelier/operations/connectors/msrc.md) |
| Cisco PSIRT | stable | oauth | [docs/modules/concelier/operations/connectors/cisco.md](docs/modules/concelier/operations/connectors/cisco.md) |
| Oracle CPU | stable | none | [docs/modules/concelier/operations/connectors/oracle.md](docs/modules/concelier/operations/connectors/oracle.md) |
| VMware | stable | none | [docs/modules/concelier/operations/connectors/vmware.md](docs/modules/concelier/operations/connectors/vmware.md) |
| Adobe PSIRT | stable | none | [docs/modules/concelier/operations/connectors/adobe.md](docs/modules/concelier/operations/connectors/adobe.md) |
| Apple Security | stable | none | [docs/modules/concelier/operations/connectors/apple.md](docs/modules/concelier/operations/connectors/apple.md) |
| Chromium | stable | none | [docs/modules/concelier/operations/connectors/chromium.md](docs/modules/concelier/operations/connectors/chromium.md) |
| Kaspersky ICS-CERT | beta | none | [docs/modules/concelier/operations/connectors/kaspersky-ics.md](docs/modules/concelier/operations/connectors/kaspersky-ics.md) |
| EPSS v4 | stable | none | [docs/modules/concelier/operations/connectors/epss.md](docs/modules/concelier/operations/connectors/epss.md) |
---
## VEX Processing (Excititor)
## VEX Processing (Excititor/VexLens)
*VEX processing provides a full consensus engine with 5-state lattice, 9 trust factors, and conflict detection.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| OpenVEX Ingestion | | | | |
| CycloneDX VEX Ingestion | | | | |
| CSAF VEX Ingestion | | | | |
| VEX Consensus Resolver | | | | |
| **VEX Consensus Engine (5-state)** | | | | Lattice-based resolution |
| Trust Vector Scoring (P/C/R) | | | | |
| **Trust Weight Scoring (9 factors)** | | | | Issuer, age, specificity, etc. |
| Claim Strength Multipliers | | | | |
| Freshness Decay | | | | |
| Freshness Decay | | | | 14-day half-life |
| Conflict Detection & Penalty | | | | K4 lattice logic |
| VEX Conflict Studio UI | | | | Visual resolution |
| VEX Hub (Distribution) | | | | Internal VEX network |
| **VEX Webhook Distribution** | | | | Pub/sub notifications |
| **CSAF Provider Connectors (7)** | | | | RedHat, Ubuntu, Oracle, MSRC, Cisco, SUSE, VMware |
| **Issuer Trust Registry** | | | | Key lifecycle, trust overrides |
| **VEX from Drift Generation** | | | | `stella vex gen --from-drift` |
| **Trust Calibration Service** | | | | Org-specific tuning |
| **Consensus Rationale Export** | | | | Audit-grade explainability |
**CLI Commands:**
- `stella vex verify <statement>` Verify VEX statement signature and content
- `stella vex consensus <digest>` Show consensus status for digest
- `stella vex evidence export` Export VEX evidence for audit
- `stella vex webhooks list/add/remove` Manage VEX distribution
- `stella issuer keys list/create/rotate/revoke` Issuer key management
---
## Policy Engine
*Policy engine implements Belnap K4 four-valued logic with 10+ gate types and 6 risk providers.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| YAML Policy Rules | | | | Basic rules |
| Belnap K4 Four-Valued Logic | | | | |
| **Belnap K4 Four-Valued Logic** | | | | True/False/Both/Neither |
| Security Atoms (6 types) | | | | |
| Disposition Selection (ECMA-424) | | | | |
| Minimum Confidence Gate | | | | |
| **10+ Policy Gate Types** | | | | Severity, reachability, age, etc. |
| **6 Risk Score Providers** | | | | CVSS, KEV, EPSS, FixChain, etc. |
| Unknowns Budget Gate | | | | |
| **Determinization System** | | | | Signal weights, decay, uncertainty |
| **Policy Simulation** | | | | `stella policy simulate` |
| Source Quota Gate | | | | 60% cap enforcement |
| Reachability Requirement Gate | | | | For criticals |
| **OPA/Rego Integration** | | | | Custom policies |
@@ -246,33 +349,55 @@
| **Score Policy YAML** | | | | Full customization |
| **Configurable Scoring Profiles** | | | | Simple/Advanced |
| **Policy Version History** | | | | Audit trail |
| **Verdict Attestations** | | | | DSSE/Rekor signed verdicts |
**CLI Commands:**
- `stella policy list/show/create/update/delete` Policy CRUD
- `stella policy simulate <digest>` Simulate policy evaluation
- `stella policy validate <file>` Validate policy YAML
- `stella policy decisions list/show` View policy decisions
- `stella policy gates list` List available gate types
---
## Attestation & Signing
*Attestation supports 25+ predicate types with keyless signing, key rotation, and attestation chains.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| DSSE Envelope Signing | | | | |
| in-toto Statement Structure | | | | |
| **25+ Predicate Types** | | | | SBOM, VEX, verdict, etc. |
| SBOM Predicate | | | | |
| VEX Predicate | | | | |
| Reachability Predicate | | | | |
| Policy Decision Predicate | | | | |
| Verdict Manifest (signed) | | | | |
| Verdict Replay Verification | | | | |
| **Keyless Signing (Sigstore)** | | | | Fulcio-based OIDC |
| **Delta Attestations (4 types)** | | | | VEX/SBOM/Verdict/Reachability |
| **Attestation Chains** | | | | Linked attestation graphs |
| **Human Approval Predicate** | | | | Workflow attestation |
| **Boundary Predicate** | | | | Network exposure |
| **Key Rotation Management** | | | | Enterprise key ops |
| **Key Rotation Service** | | | | Automated key lifecycle |
| **Trust Anchor Management** | | | | Root CA management |
| **SLSA Provenance v1.0** | | | | Supply chain |
| **Rekor Transparency Log** | | | | Public attestation |
| **Cosign Integration** | | | | Sigstore ecosystem |
**CLI Commands:**
- `stella attest sign <file>` Sign attestation
- `stella attest verify <envelope>` Verify attestation signature
- `stella attest predicates list` List supported predicate types
- `stella attest export <digest>` Export attestations for digest
- `stella keys list/create/rotate/revoke` Key management
---
## Regional Crypto (Sovereign Profiles)
*Sovereign crypto is core to the AGPL promise - no vendor lock-in on compliance.*
*Sovereign crypto is core to the AGPL promise - no vendor lock-in on compliance. 8 signature profiles supported.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
@@ -283,6 +408,14 @@
| SM National Standard | | | | China |
| Post-Quantum (Dilithium) | | | | Future-proof |
| Crypto Plugin Architecture | | | | Custom HSM |
| **Multi-Profile Signing** | | | | Sign with multiple algorithms |
| **SM Remote Service** | | | | Chinese market HSM integration |
| **HSM/PKCS#11 Integration** | | | | Hardware security modules |
**CLI Commands:**
- `stella crypto profiles list` List available crypto profiles
- `stella crypto verify --profile <name>` Verify with specific profile
- `stella crypto plugins list/status` Manage crypto plugins
---
@@ -421,35 +554,68 @@
---
## Access Control & Identity
## Access Control & Identity (Authority)
*Authority provides OAuth 2.1/OIDC with 75+ authorization scopes, DPoP, and device authorization.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Auth | | | | |
| API Keys | | | | |
| API Keys | | | | With scopes and expiration |
| SSO/SAML Integration | | | | Okta, Azure AD |
| OIDC Support | | | | |
| Basic RBAC | | | | User/Admin |
| **75+ Authorization Scopes** | | | | Fine-grained permissions |
| **DPoP (Sender Constraints)** | | | | Token binding |
| **mTLS Client Certificates** | | | | Certificate auth |
| **Device Authorization Flow** | | | | CLI/IoT devices |
| **PAR Support** | | | | Pushed Authorization Requests |
| **User Federation (LDAP/SAML)** | | | | Directory integration |
| **Multi-Factor Authentication** | | | | TOTP/WebAuthn |
| **Advanced RBAC** | | | | Team-based scopes |
| **Multi-Tenant Management** | | | | Org hierarchy |
| **Audit Log Export** | | | | SIEM integration |
**CLI Commands:**
- `stella auth clients list/create/delete` OAuth client management
- `stella auth roles list/show/assign` Role management
- `stella auth scopes list` List available scopes
- `stella auth token introspect <token>` Token introspection
- `stella auth api-keys list/create/revoke` API key management
---
## Notifications & Integrations
*10 notification channel types with template engine, routing rules, and escalation.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Email Notifications | | | | |
| In-App Notifications | | | | |
| Email Notifications | | | | |
| EPSS Change Alerts | | | | |
| Slack Integration | | | | Basic |
| Teams Integration | | | | Basic |
| **Discord Integration** | | | | Webhook-based |
| **PagerDuty Integration** | | | | Incident management |
| **OpsGenie Integration** | | | | Alert routing |
| Zastava Registry Hooks | | | | Auto-scan on push |
| **Zastava K8s Admission** | | | | Validating/Mutating webhooks |
| **Template Engine** | | | | Customizable templates |
| **Channel Routing Rules** | | | | Severity/team routing |
| **Escalation Policies** | | | | Time-based escalation |
| **Notification Studio UI** | | | | Visual rule builder |
| **Custom Webhooks** | | | | Any endpoint |
| **CI/CD Gates** | | | | GitLab/GitHub/Jenkins |
| **SCM Integrations** | | | | PR comments, status checks |
| **Issue Tracker Integration** | | | | Jira, GitHub Issues |
| **Enterprise Connectors** | | | | Grid/Premium APIs |
**CLI Commands:**
- `stella notify channels list/test` Channel management
- `stella notify rules list/create` Routing rules
- `stella zastava install/configure/status` K8s webhook management
---
## Scheduling & Automation
@@ -555,4 +721,4 @@ Everything in Community, plus:
---
*Last updated: 24 Dec 2025 (rev 4.0 - Tiered Commercial Model)*
*Last updated: 16 Jan 2026 (rev 5.1 - Documentation Sprint 024)*