feat: Add comprehensive product advisories for improved scanner functionality
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations. - Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency. - Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results. - Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages. - Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange. - Established a validation plan for quiet scans, focusing on provenance and CI integration. - Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
This commit is contained in:
master
@@ -23,32 +23,34 @@
|
||||
| --- | --- | --- | --- | --- | --- |
|
||||
| 110.A Advisory AI | DOCS-AIAI-31-004 | DOING | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001/003 | Guardrail console doc drafted; screenshots + SBOM evidence pending. |
|
||||
| 110.A Advisory AI | AIAI-31-009 | DONE (2025-11-12) | Advisory AI Guild | — | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. |
|
||||
| 110.A Advisory AI | AIAI-31-008 | TODO | Advisory AI Guild | AIAI-31-006; AIAI-31-007 | Remote inference packaging queued behind policy knob work. |
|
||||
| 110.A Advisory AI | AIAI-31-008 | BLOCKED | Advisory AI Guild | AIAI-31-006; AIAI-31-007 | Blocked pending policy knob deliverables (AIAI-31-006/007). |
|
||||
| 110.A Advisory AI | SBOM-AIAI-31-003 | BLOCKED | SBOM Service Guild | SBOM-AIAI-31-001; CLI-VULN-29-001; CLI-VEX-30-001 | Needs SBOM delta kit + CLI deliverables before validation can proceed. |
|
||||
| 110.A Advisory AI | DOCS-AIAI-31-005/006/008/009 | BLOCKED | Docs Guild | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | CLI/policy/ops docs paused pending upstream artefacts. |
|
||||
| 110.B Concelier | CONCELIER-AIAI-31-002 | DOING | Concelier Core · Concelier WebService Guilds | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 | Structured field/caching implementation gated on schema approval. |
|
||||
| 110.B Concelier | CONCELIER-AIAI-31-002 | BLOCKED | Concelier Core · Concelier WebService Guilds | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 | Blocked: Link-Not-Merge schema still not approved; cannot finalize structured field/caching. |
|
||||
| 110.B Concelier | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | Concelier Observability Guild | — | Telemetry counters/histograms live for Advisory AI dashboards. |
|
||||
| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | TODO | Concelier Core · AirGap Guilds | Link-Not-Merge schema; Evidence Locker attestation contract | Air-gap bundles waiting on stable schema + attestation payloads. |
|
||||
| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | TODO | Concelier Console Guild | Link-Not-Merge schema | Console overlays blocked until schema signed off. |
|
||||
| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | TODO | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; Evidence Locker contract | Attestation metadata wiring follows structured caching. |
|
||||
| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | Concelier Core · AirGap Guilds | Link-Not-Merge schema; Evidence Locker attestation contract | Blocked until schema approval + attestation scope sign-off. |
|
||||
| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | BLOCKED | Concelier Console Guild | Link-Not-Merge schema | Blocked pending Link-Not-Merge schema approval. |
|
||||
| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | BLOCKED | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; Evidence Locker contract | Blocked until structured caching lands and Evidence Locker contract finalises. |
|
||||
| 110.B Concelier | FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008 | BLOCKED | Concelier Feed Owners | Feed owner remediation plan | Overdue provenance refreshes require schedule from feed owners. |
|
||||
| 110.C Excititor | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | Excititor Web/Core Guilds | — | Normalised VEX justification projections shipped. |
|
||||
| 110.C Excititor | EXCITITOR-AIAI-31-002 | TODO | Excititor Web/Core Guilds | Link-Not-Merge schema; Evidence Locker contract | Chunk API waiting on schema + ingest agreements. |
|
||||
| 110.C Excititor | EXCITITOR-AIAI-31-003 | TODO | Excititor Observability Guild | EXCITITOR-AIAI-31-002 | Telemetry/guardrail metrics follow chunk API. |
|
||||
| 110.C Excititor | EXCITITOR-AIAI-31-004 | TODO | Docs Guild · Excititor Guild | EXCITITOR-AIAI-31-002 | Docs/OpenAPI alignment queued behind chunk API finalisation. |
|
||||
| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | TODO | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; Evidence Locker contract | Attestation payload ordering awaiting sequencing session. |
|
||||
| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | TODO | Excititor Guild · AirGap Guilds | Link-Not-Merge schema; attestation plan | Air-gap + connector parity depend on schema + attestation readiness. |
|
||||
| 110.D Mirror | MIRROR-CRT-56-001 | TODO | Mirror Creator Guild | Staffing decision | Deterministic assembler has no owner; kickoff rescheduled to 2025-11-15. |
|
||||
| 110.D Mirror | MIRROR-CRT-56-002 | TODO | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | DSSE/TUF metadata follows assembler baseline. |
|
||||
| 110.D Mirror | MIRROR-CRT-57-001/002 | TODO | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | OCI/time-anchor workstreams blocked pending assembler + time contract. |
|
||||
| 110.D Mirror | MIRROR-CRT-58-001/002 | TODO | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | CLI + Export automation depends on assembler and DSSE/TUF track. |
|
||||
| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | TODO | Exporter Guild · AirGap Time Guild · CLI Guild | MIRROR-CRT-56-001 staffing | Downstream automation awaiting assembler staffing outcome. |
|
||||
| 110.C Excititor | EXCITITOR-AIAI-31-002 | BLOCKED | Excititor Web/Core Guilds | Link-Not-Merge schema; Evidence Locker contract | Blocked until schema + ingest contract approved. |
|
||||
| 110.C Excititor | EXCITITOR-AIAI-31-003 | BLOCKED | Excititor Observability Guild | EXCITITOR-AIAI-31-002 | Blocked behind EXCITITOR-AIAI-31-002. |
|
||||
| 110.C Excititor | EXCITITOR-AIAI-31-004 | BLOCKED | Docs Guild · Excititor Guild | EXCITITOR-AIAI-31-002 | Blocked until chunk API finalized. |
|
||||
| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | BLOCKED | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; Evidence Locker contract | Blocked pending chunk API + Evidence Locker attestation scope. |
|
||||
| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | BLOCKED | Excititor Guild · AirGap Guilds | Link-Not-Merge schema; attestation plan | Blocked until schema + attestation readiness. |
|
||||
| 110.D Mirror | MIRROR-CRT-56-001 | BLOCKED | Mirror Creator Guild | Staffing decision | Blocked: no owner assigned; kickoff slipped past 2025-11-15. |
|
||||
| 110.D Mirror | MIRROR-CRT-56-002 | BLOCKED | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | Blocked until MIRROR-CRT-56-001 staffed. |
|
||||
| 110.D Mirror | MIRROR-CRT-57-001/002 | BLOCKED | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | Blocked; upstream staffing unresolved. |
|
||||
| 110.D Mirror | MIRROR-CRT-58-001/002 | BLOCKED | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | Blocked until assembler staffed and upstream contracts agreed. |
|
||||
| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | BLOCKED | Exporter Guild · AirGap Time Guild · CLI Guild | MIRROR-CRT-56-001 staffing | Blocked pending MIRROR-CRT-56-001 ownership. |
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2025-11-13 | Refreshed wave tracker, decisions, and contingency plan ahead of 14–15 Nov checkpoints; outstanding asks: SBOM/CLI/Policy/DevOps ETAs, Link-Not-Merge approval, Mirror staffing. | Sprint 110 leads |
|
||||
| 2025-11-09 | Captured initial wave scope, interlocks, and risks covering SBOM/CLI/Policy/DevOps artefacts, Link-Not-Merge schemas, Excititor justification backlog, and Mirror assembler commitments. | Sprint 110 leads |
|
||||
| 2025-11-16 | Updated task board: marked Advisory AI packaging, Concelier air-gap/console/attestation tracks, Excititor chunk/attestation/air-gap tracks, and all Mirror tracks as BLOCKED pending schema approvals, Evidence Locker contract, and Mirror staffing decisions. | Implementer |
|
||||
| 2025-11-16 | Marked CONCELIER-AIAI-31-002 BLOCKED (waiting on Link-Not-Merge schema approval); progressed DOCS-AIAI-31-004 doc draft. | Implementer |
|
||||
|
||||
## Decisions & Risks
|
||||
### Decisions in flight
|
||||
|
||||
Reference in New Issue
Block a user