stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

todays product advirories implemented

Browse Source
This commit is contained in:
master
2026-01-16 23:30:47 +02:00
parent 91ba600722
commit 77ff029205
174 changed files with 30173 additions and 1383 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
docs/modules/cli/guides/commands/binary.md Normal file
View File

@@ -0,0 +1,50 @@
# Binary Analysis CLI Commands
_Last updated: 2026-01-16_
This guide documents the CLI-first binary analysis commands exposed by Stella Ops.
---
## `stella binary fingerprint export`
Export a deterministic binary fingerprint (function hashes, section hashes, symbol table).
### Usage
```bash
stella binary fingerprint export <artifact> \
--format json \
--output ./fingerprint.json
```
### Notes
- Supported formats: `json`, `yaml`
- Output is deterministic for identical inputs.
- Use `--output` for offline workflows and evidence bundles.
---
## `stella binary diff`
Compare two binaries and emit a function/symbol-level delta report.
### Usage
```bash
stella binary diff <base> <candidate> \
--format table \
--scope function
```
### Notes
- Supported formats: `json`, `table`
- Scopes: `file`, `section`, `function`
- Use `--format json` for automation and CI pipelines.
---
## Output contracts
- All JSON outputs follow the CLI standard envelope (stable ordering, camelCase keys).
- When used in evidence workflows, prefer `--format json` plus `--output` for deterministic artifacts.

22
docs/modules/cli/guides/commands/policy.md
View File

@@ -78,7 +78,7 @@ stella policy review status <policy-id> [--version <ver>]
stella policy publish <policy-id> [--version <ver>] [--sign] [--attestation-type <type>] [--dry-run]
# Promote policy to environment
stella policy promote <policy-id> [--version <ver>] --env <environment> [--canary <percentage>] [--dry-run]
stella policy promote <policy-id> --from <env> --to <env> [--dry-run] [--format json|table] [--output <path>]
# Rollback policy
stella policy rollback <policy-id> [--to-version <ver>] [--reason <text>] [--force]
@@ -100,6 +100,26 @@ stella policy history <policy-id> [--limit <num>] [--since <date>] [--until <dat
stella policy explain <policy-id> [--version <ver>] [--finding-id <id>] [--verbose]
```
### Policy Lattice Explain (PEN-001)
```bash
# Explain policy lattice structure
stella policy lattice explain [--format json|mermaid] [--output <path>]
```
### Policy Verdicts Export (PEN-002)
```bash
# Export policy verdict history
stella policy verdicts export \
[--from <timestamp>] \
[--to <timestamp>] \
[--policy <id>] \
[--outcome pass|fail|warn] \
[--format json|csv] \
[--output <path>]
```
### Policy Activation
```bash

20
docs/modules/cli/guides/commands/reference.md
View File

@@ -962,11 +962,13 @@ stella reachability analyze --scan <path> --code <path> [--output <path>]
### stella graph
Visualize dependency graphs.
Call graph evidence and lineage commands.
**Usage:**
```bash
stella graph --sbom <path> [--output <path>] [--format svg|png|dot]
stella graph explain --graph-id <id> [--vuln-id <id>] [--purl <purl>] [--json]
stella graph verify --hash <blake3:...> [--format text|json|markdown]
stella graph lineage show <digest|purl> [--format json|graphson|mermaid] [--output <path>]
```
---
@@ -993,6 +995,20 @@ stella notify --scan <path> --channel slack --webhook <url>
---
### stella issuer
Manage issuer keys for signing and verification.
**Usage:**
```bash
stella issuer keys list --format json
stella issuer keys create --type ecdsa --name primary --format json
stella issuer keys rotate <id> --format json
stella issuer keys revoke <id> --format json
```
---
## Language-Specific Commands
### stella ruby

35
docs/modules/cli/guides/commands/vex.md
View File

@@ -5,6 +5,8 @@
- `stella vex consensus --query <filter> [--output json|ndjson|table] [--offline]`
- `stella vex get --id <consensusId> [--offline]`
- `stella vex simulate --input <vexDocs> --policy <policyConfig> [--offline]`
- `stella vex evidence export <target> [--format json|openvex] [--output <path>]`
- `stella vex webhooks list|add|remove [--format json]`
- `stella vex gen --from-drift --image <IMAGE> [--baseline <SEAL_ID>] [--output <PATH>]`
## Flags (common)
@@ -26,6 +28,39 @@
---
## stella vex evidence export
Export deterministic VEX evidence for a digest or component identifier.
### Usage
```bash
stella vex evidence export <target> [--format json|openvex] [--output <path>]
```
### Examples
```bash
stella vex evidence export sha256:abc --format json
stella vex evidence export pkg:npm/lodash@4.17.21 --format openvex --output vex-evidence.json
```
---
## stella vex webhooks
Manage VEX webhook subscriptions.
### Usage
```bash
stella vex webhooks list --format json
stella vex webhooks add --url <url> --events vex.created vex.updated --format json
stella vex webhooks remove <id> --format json
```
---
## stella vex gen --from-drift
**Sprint:** SPRINT_20260105_002_004_CLI

40
docs/modules/concelier/connectors.md
View File

@@ -1,7 +1,39 @@
# Concelier Connectors
This index lists Concelier connectors and links to their operational runbooks. For detailed procedures and alerting, see `docs/modules/concelier/operations/connectors/`.
This index lists Concelier connectors, their status, authentication expectations, and links to operational runbooks. For procedures and alerting, see `docs/modules/concelier/operations/connectors/`.
| Connector | Source ID | Purpose | Ops Runbook |
| --- | --- | --- | --- |
| EPSS | `epss` | FIRST.org EPSS exploitation probability feed | `docs/modules/concelier/operations/connectors/epss.md` |
| Connector | Source ID | Status | Auth | Ops Runbook |
| --- | --- | --- | --- | --- |
| NVD (NIST) | `nvd` | stable | api-key | [docs/modules/concelier/operations/connectors/nvd.md](docs/modules/concelier/operations/connectors/nvd.md) |
| CVE (MITRE) | `cve` | stable | none | [docs/modules/concelier/operations/connectors/cve.md](docs/modules/concelier/operations/connectors/cve.md) |
| OSV | `osv` | stable | none | [docs/modules/concelier/operations/connectors/osv.md](docs/modules/concelier/operations/connectors/osv.md) |
| GHSA | `ghsa` | stable | api-token | [docs/modules/concelier/operations/connectors/ghsa.md](docs/modules/concelier/operations/connectors/ghsa.md) |
| EPSS | `epss` | stable | none | [docs/modules/concelier/operations/connectors/epss.md](docs/modules/concelier/operations/connectors/epss.md) |
| Alpine SecDB | `alpine` | stable | none | [docs/modules/concelier/operations/connectors/alpine.md](docs/modules/concelier/operations/connectors/alpine.md) |
| Debian Security Tracker | `debian` | stable | none | [docs/modules/concelier/operations/connectors/debian.md](docs/modules/concelier/operations/connectors/debian.md) |
| Ubuntu USN | `ubuntu` | stable | none | [docs/modules/concelier/operations/connectors/ubuntu.md](docs/modules/concelier/operations/connectors/ubuntu.md) |
| Red Hat OVAL/CSAF | `redhat` | stable | none | [docs/modules/concelier/operations/connectors/redhat.md](docs/modules/concelier/operations/connectors/redhat.md) |
| SUSE OVAL/CSAF | `suse` | stable | none | [docs/modules/concelier/operations/connectors/suse.md](docs/modules/concelier/operations/connectors/suse.md) |
| Astra Linux | `astra` | beta | none | [docs/modules/concelier/operations/connectors/astra.md](docs/modules/concelier/operations/connectors/astra.md) |
| CISA KEV | `kev` | stable | none | [docs/modules/concelier/operations/connectors/cve-kev.md](docs/modules/concelier/operations/connectors/cve-kev.md) |
| CISA ICS-CERT | `ics-cisa` | stable | none | [docs/modules/concelier/operations/connectors/ics-cisa.md](docs/modules/concelier/operations/connectors/ics-cisa.md) |
| CERT-CC | `cert-cc` | stable | none | [docs/modules/concelier/operations/connectors/cert-cc.md](docs/modules/concelier/operations/connectors/cert-cc.md) |
| CERT-FR | `cert-fr` | stable | none | [docs/modules/concelier/operations/connectors/cert-fr.md](docs/modules/concelier/operations/connectors/cert-fr.md) |
| CERT-Bund | `cert-bund` | stable | none | [docs/modules/concelier/operations/connectors/certbund.md](docs/modules/concelier/operations/connectors/certbund.md) |
| CERT-In | `cert-in` | stable | none | [docs/modules/concelier/operations/connectors/cert-in.md](docs/modules/concelier/operations/connectors/cert-in.md) |
| ACSC | `acsc` | stable | none | [docs/modules/concelier/operations/connectors/acsc.md](docs/modules/concelier/operations/connectors/acsc.md) |
| CCCS | `cccs` | stable | none | [docs/modules/concelier/operations/connectors/cccs.md](docs/modules/concelier/operations/connectors/cccs.md) |
| KISA | `kisa` | stable | none | [docs/modules/concelier/operations/connectors/kisa.md](docs/modules/concelier/operations/connectors/kisa.md) |
| JVN | `jvn` | stable | none | [docs/modules/concelier/operations/connectors/jvn.md](docs/modules/concelier/operations/connectors/jvn.md) |
| FSTEC BDU | `fstec-bdu` | beta | none | [docs/modules/concelier/operations/connectors/fstec-bdu.md](docs/modules/concelier/operations/connectors/fstec-bdu.md) |
| NKCKI | `nkcki` | beta | none | [docs/modules/concelier/operations/connectors/nkcki.md](docs/modules/concelier/operations/connectors/nkcki.md) |
| Microsoft MSRC | `msrc` | stable | none | [docs/modules/concelier/operations/connectors/msrc.md](docs/modules/concelier/operations/connectors/msrc.md) |
| Cisco PSIRT | `cisco` | stable | oauth | [docs/modules/concelier/operations/connectors/cisco.md](docs/modules/concelier/operations/connectors/cisco.md) |
| Oracle CPU | `oracle` | stable | none | [docs/modules/concelier/operations/connectors/oracle.md](docs/modules/concelier/operations/connectors/oracle.md) |
| VMware | `vmware` | stable | none | [docs/modules/concelier/operations/connectors/vmware.md](docs/modules/concelier/operations/connectors/vmware.md) |
| Adobe PSIRT | `adobe` | stable | none | [docs/modules/concelier/operations/connectors/adobe.md](docs/modules/concelier/operations/connectors/adobe.md) |
| Apple Security | `apple` | stable | none | [docs/modules/concelier/operations/connectors/apple.md](docs/modules/concelier/operations/connectors/apple.md) |
| Chromium | `chromium` | stable | none | [docs/modules/concelier/operations/connectors/chromium.md](docs/modules/concelier/operations/connectors/chromium.md) |
| Kaspersky ICS-CERT | `kaspersky-ics` | beta | none | [docs/modules/concelier/operations/connectors/kaspersky-ics.md](docs/modules/concelier/operations/connectors/kaspersky-ics.md) |
**Reason Codes Reference:** [docs/modules/concelier/operations/connectors/reason-codes.md](docs/modules/concelier/operations/connectors/reason-codes.md)

26
docs/modules/concelier/operations/connectors/acsc.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier ACSC Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The ACSC connector ingests Australian Cyber Security Centre advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
acsc:
baseUri: "<acsc-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror ACSC feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Feed schema updates.

26
docs/modules/concelier/operations/connectors/adobe.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier Adobe PSIRT Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Adobe connector ingests Adobe PSIRT advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public advisories.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
adobe:
baseUri: "<adobe-psirt-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Upstream format changes or delayed bulletin updates.

27
docs/modules/concelier/operations/connectors/astra.md Normal file
View File

@@ -0,0 +1,27 @@
# Concelier Astra Linux Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Astra Linux connector ingests regional Astra advisories and maps them to Astra package versions.
## 2. Authentication
- No authentication required for public feeds unless a mirrored source enforces access controls.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
astra:
baseUri: "<astra-advisory-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror Astra advisories into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Regional mirror availability.
- Non-standard versioning metadata.

26
docs/modules/concelier/operations/connectors/cert-cc.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier CERT-CC Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The CERT-CC connector ingests CERT-CC vulnerability advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
cert-cc:
baseUri: "<cert-cc-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror CERT-CC feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Source throttling or feed schema changes.

26
docs/modules/concelier/operations/connectors/cert-fr.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier CERT-FR Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The CERT-FR connector ingests CERT-FR advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
cert-fr:
baseUri: "<cert-fr-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror CERT-FR feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Schema changes or feed outages.

26
docs/modules/concelier/operations/connectors/cert-in.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier CERT-In Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The CERT-In connector ingests CERT-In advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
cert-in:
baseUri: "<cert-in-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror CERT-In feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Feed format changes or intermittent availability.

26
docs/modules/concelier/operations/connectors/chromium.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier Chromium Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Chromium connector ingests Chromium security advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public advisories.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
chromium:
baseUri: "<chromium-advisory-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Feed cadence shifts during Chromium release trains.

27
docs/modules/concelier/operations/connectors/cve.md Normal file
View File

@@ -0,0 +1,27 @@
# Concelier CVE (MITRE) Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The CVE connector ingests MITRE CVE records to provide canonical IDs and record metadata.
## 2. Authentication
- No authentication required for public CVE feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
cve:
baseUri: "<cve-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror the CVE feed into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Upstream feed lag or pagination errors.
- Schema validation errors on upstream record changes.

27
docs/modules/concelier/operations/connectors/debian.md Normal file
View File

@@ -0,0 +1,27 @@
# Concelier Debian Security Tracker Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Debian connector ingests Debian Security Tracker advisories and maps them to Debian package versions.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
debian:
baseUri: "<debian-tracker-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror tracker feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Format changes in tracker exports.
- Missing release metadata for legacy suites.

27
docs/modules/concelier/operations/connectors/fstec-bdu.md Normal file
View File

@@ -0,0 +1,27 @@
# Concelier FSTEC BDU Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The FSTEC BDU connector ingests the Russian BDU vulnerability database and maps entries to canonical IDs.
## 2. Authentication
- No authentication required for public feeds unless a regional mirror enforces access controls.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
fstec-bdu:
baseUri: "<fstec-bdu-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror BDU data into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Regional mirror availability.
- Non-standard identifier formats.

26
docs/modules/concelier/operations/connectors/jvn.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier JVN Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The JVN connector ingests Japan Vulnerability Notes (JVN) advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
jvn:
baseUri: "<jvn-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror JVN feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Feed format changes or upstream outages.

26
docs/modules/concelier/operations/connectors/kaspersky-ics.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier Kaspersky ICS-CERT Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Kaspersky ICS-CERT connector ingests ICS/SCADA advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public advisories unless a mirror enforces access controls.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
kaspersky-ics:
baseUri: "<kaspersky-ics-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Feed availability gaps for legacy advisories.

32
docs/modules/concelier/operations/connectors/nvd.md Normal file
View File

@@ -0,0 +1,32 @@
# Concelier NVD Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The NVD connector ingests CVE records and CVSS metadata from the NVD feed to enrich advisory observations.
## 2. Authentication
- Requires an API key configured in `concelier.yaml` under `sources.nvd.auth`.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
nvd:
baseUri: "<nvd-api-base>"
auth:
type: "api-key"
header: "apiKey"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror the NVD feed into the Offline Kit and repoint `baseUri` to the mirror.
- Keep fetch ordering deterministic by maintaining stable paging settings.
## 5. Common failure modes
- Missing/invalid API key.
- Upstream rate limits.
- Schema validation errors on malformed payloads.

26
docs/modules/concelier/operations/connectors/oracle.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier Oracle CPU Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Oracle connector ingests Oracle Critical Patch Update advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public advisories.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
oracle:
baseUri: "<oracle-cpu-feed-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror CPU advisories into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Schedule drift during quarterly CPU updates.

13
docs/modules/concelier/operations/connectors/reason-codes.md Normal file
View File

@@ -0,0 +1,13 @@
# Concelier Connector Reason Codes
_Last updated: 2026-01-16_
This reference lists deterministic reason codes emitted by `stella db connectors status|list|test` outputs.
| Code | Category | Meaning | Remediation |
| --- | --- | --- | --- |
| CON_RATE_001 | degraded | Upstream rate limit or throttling detected. | Reduce fetch cadence, honor `Retry-After`, or request higher quotas. |
| CON_UPSTREAM_002 | failed | Upstream service unreachable or returning persistent errors. | Check upstream availability, retry with backoff, or switch to mirror. |
| CON_TIMEOUT_001 | failed | Connector test exceeded timeout window. | Increase `--timeout` or troubleshoot network latency. |
| CON_UNKNOWN_001 | unknown | No status data reported for enabled connector. | Verify scheduler and connector logs. |
| CON_DISABLED_001 | disabled | Connector is disabled in configuration. | Enable in concelier configuration if required. |

27
docs/modules/concelier/operations/connectors/redhat.md Normal file
View File

@@ -0,0 +1,27 @@
# Concelier Red Hat OVAL/CSAF Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Red Hat connector ingests Red Hat OVAL/CSAF advisories and maps them to RHEL package versions.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
redhat:
baseUri: "<redhat-csaf-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror the CSAF feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Upstream CSAF schema changes.
- Missing mappings for EUS or archived releases.

27
docs/modules/concelier/operations/connectors/suse.md Normal file
View File

@@ -0,0 +1,27 @@
# Concelier SUSE OVAL/CSAF Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The SUSE connector ingests SUSE OVAL/CSAF advisories and maps them to SUSE package versions.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
suse:
baseUri: "<suse-csaf-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror the CSAF feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Upstream CSAF schema changes.
- Missing mappings for legacy maintenance releases.

26
docs/modules/concelier/operations/connectors/ubuntu.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier Ubuntu USN Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The Ubuntu connector ingests Ubuntu Security Notices (USN) and maps advisories to Ubuntu package versions.
## 2. Authentication
- No authentication required for public feeds.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
ubuntu:
baseUri: "<ubuntu-usn-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror USN feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- USN schema updates or missing release references.

26
docs/modules/concelier/operations/connectors/vmware.md Normal file
View File

@@ -0,0 +1,26 @@
# Concelier VMware Connector - Operations Runbook
_Last updated: 2026-01-16_
## 1. Overview
The VMware connector ingests VMware security advisories and maps them to canonical IDs.
## 2. Authentication
- No authentication required for public advisories.
## 3. Configuration (`concelier.yaml`)
```yaml
concelier:
sources:
vmware:
baseUri: "<vmware-advisory-base>"
maxDocumentsPerFetch: 20
fetchTimeout: "00:00:45"
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror advisories into the Offline Kit and repoint `baseUri` to the mirror.
## 5. Common failure modes
- Upstream format changes.

272
docs/modules/policy/guides/risk-provider-configuration.md Normal file
View File

@@ -0,0 +1,272 @@
# Risk Provider Configuration Guide
> **Module:** Policy Engine / RiskProfile
> **Sprint:** SPRINT_20260117_010_CLI_policy_engine (PEN-004)
> **Last Updated:** 2026-01-16
This guide documents the configuration of risk providers within the Stella Ops Policy Engine. Risk providers supply signals (data points) used in risk scoring calculations.
---
## Overview
Risk profiles define how vulnerability findings are scored and prioritized. Each profile consists of:
1. **Signals** — Data sources that contribute to the risk assessment
2. **Weights** — Relative importance of each signal (0.01.0)
3. **Overrides** — Rules that modify severity or decisions based on signal combinations
4. **Metadata** — Optional profile metadata
---
## Risk Profile Schema
Risk profiles follow the `risk-profile-schema@1.json` schema. The canonical schema is available at:
- **Schema URI:** `https://stellaops.dev/schemas/risk-profile-schema@1.json`
- **Source:** `src/Policy/StellaOps.Policy.RiskProfile/Schemas/risk-profile-schema@1.json`
### Required Properties
| Property | Type | Description |
|----------|------|-------------|
| `id` | string | Stable identifier (slug or URN) |
| `version` | string | SemVer version (e.g., `1.0.0`) |
| `signals` | array | Signal definitions (min 1) |
| `weights` | object | Weight per signal name |
| `overrides` | object | Severity and decision overrides |
---
## Signal Configuration
Each signal definition requires:
```json
{
"name": "kev",
"source": "cisa",
"type": "boolean",
"path": "/evidence/kev/known",
"transform": null,
"unit": null
}
```
### Signal Properties
| Property | Required | Type | Description |
|----------|:--------:|------|-------------|
| `name` | ✅ | string | Logical signal key (e.g., `reachability`, `kev`, `exploit_chain`) |
| `source` | ✅ | string | Upstream provider or calculation origin |
| `type` | ✅ | enum | `boolean`, `numeric`, or `categorical` |
| `path` | | string | JSON Pointer to the signal in the evidence document |
| `transform` | | string | Transform applied before weighting (e.g., `log`, `normalize`) |
| `unit` | | string | Unit for numeric signals |
### Built-in Signal Sources
| Source | Signal Names | Type | Description |
|--------|-------------|------|-------------|
| `cvss` | `base_score`, `temporal_score`, `environmental_score` | numeric | CVSS v4.0 scores |
| `epss` | `probability`, `percentile` | numeric | EPSS v4 exploit prediction |
| `cisa` | `kev` | boolean | Known Exploited Vulnerabilities |
| `reachability` | `reachable`, `confidence`, `depth` | mixed | Reachability analysis results |
| `vex` | `status`, `justification` | categorical | VEX consensus status |
| `patch` | `available`, `verified` | boolean | Patch availability evidence |
| `runtime` | `observed`, `observation_count` | mixed | Runtime signal correlation |
---
## Weight Configuration
Weights determine the relative importance of each signal in the final risk score. Weights are normalized by the scoring engine.
```json
{
"weights": {
"base_score": 0.3,
"kev": 0.25,
"reachability": 0.25,
"epss_probability": 0.15,
"patch_available": 0.05
}
}
```
**Weight Rules:**
- Values must be between 0.0 and 1.0
- Weights are normalized (sum to 1.0) at runtime
- Missing signals receive zero contribution
---
## Override Configuration
Overrides allow conditional severity adjustments and decision actions.
### Severity Overrides
```json
{
"overrides": {
"severity": [
{
"when": { "kev": true, "reachable": true },
"set": "critical"
},
{
"when": { "patch_available": true, "reachable": false },
"set": "low"
}
]
}
}
```
**Severity Levels:** `critical`, `high`, `medium`, `low`, `informational`
### Decision Overrides
```json
{
"overrides": {
"decisions": [
{
"when": { "kev": true },
"action": "deny",
"reason": "Active exploitation detected via CISA KEV"
},
{
"when": { "reachable": false, "vex_status": "not_affected" },
"action": "allow",
"reason": "Unreachable and verified not affected"
}
]
}
}
```
**Decision Actions:** `allow`, `review`, `deny`
---
## Example Risk Profile
```json
{
"id": "stella-default-v1",
"version": "1.0.0",
"description": "Default risk profile for container vulnerability assessment",
"signals": [
{ "name": "base_score", "source": "cvss", "type": "numeric", "path": "/cvss/baseScore" },
{ "name": "kev", "source": "cisa", "type": "boolean", "path": "/evidence/kev/known" },
{ "name": "epss_probability", "source": "epss", "type": "numeric", "path": "/epss/probability" },
{ "name": "reachable", "source": "reachability", "type": "boolean", "path": "/reachability/reachable" },
{ "name": "reachability_confidence", "source": "reachability", "type": "numeric", "path": "/reachability/confidence" },
{ "name": "patch_available", "source": "patch", "type": "boolean", "path": "/patch/available" },
{ "name": "vex_status", "source": "vex", "type": "categorical", "path": "/vex/status" }
],
"weights": {
"base_score": 0.25,
"kev": 0.20,
"epss_probability": 0.15,
"reachable": 0.20,
"reachability_confidence": 0.10,
"patch_available": 0.05,
"vex_status": 0.05
},
"overrides": {
"severity": [
{ "when": { "kev": true, "reachable": true }, "set": "critical" },
{ "when": { "reachable": false }, "set": "low" }
],
"decisions": [
{ "when": { "kev": true, "reachable": true }, "action": "deny", "reason": "Active exploitation in reachable code" },
{ "when": { "vex_status": "not_affected" }, "action": "allow", "reason": "VEX confirms not affected" }
]
},
"metadata": {
"author": "platform-team",
"compliance": ["SOC2", "ISO27001"]
}
}
```
---
## CLI Commands
### List Risk Profiles
```bash
stella policy profiles list --format table
```
### Show Profile Details
```bash
stella policy profiles show <profile-id> --format json
```
### Validate Profile
```bash
stella policy profiles validate profile.json
```
### Apply Profile
```bash
stella policy profiles apply <profile-id> --scope tenant:default
```
---
## Configuration Files
Risk profiles can be stored as YAML or JSON:
- **Default location:** `etc/risk-profiles/`
- **Environment variable:** `STELLA_RISK_PROFILES_PATH`
- **Configuration key:** `policy:riskProfiles:path`
### appsettings.yaml Example
```yaml
policy:
riskProfiles:
path: /etc/stella/risk-profiles
default: stella-default-v1
validation:
strict: true
allowUnknownSignals: false
```
---
## Validation Rules
1. **Schema validation** — Profile must conform to `risk-profile-schema@1.json`
2. **Signal consistency** — All signals in `weights` must be defined in `signals`
3. **Weight bounds** — All weights must be in [0.0, 1.0] range
4. **Override predicates**`when` clauses must reference valid signal names
5. **Version format** — Must be valid SemVer
### Validation Errors
| Code | Description |
|------|-------------|
| `RISK_PROFILE_001` | Missing required property |
| `RISK_PROFILE_002` | Invalid weight value |
| `RISK_PROFILE_003` | Unknown signal in weights |
| `RISK_PROFILE_004` | Invalid override predicate |
| `RISK_PROFILE_005` | Version format invalid |
---
## Related Documentation
- [Policy Engine Architecture](../architecture.md)
- [CVSS v4.0 Integration](../cvss-v4.md)
- [Policy Templates](../POLICY_TEMPLATES.md)
- [Determinization Architecture](../determinization-architecture.md)