stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add signal contracts for reachability, exploitability, trust, and unknown symbols
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / sign-signals-artifacts (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / verify-signatures (push) Has been cancelled
Details

Browse Source 
- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties.
- Implemented JSON serialization attributes for proper data interchange.
- Created project files for the new signal contracts library and corresponding test projects.
- Added deterministic test fixtures for micro-interaction testing.
- Included cryptographic keys for secure operations with cosign.
This commit is contained in:
StellaOps Bot
2025-12-05 00:27:00 +02:00
parent b018949a8d
commit 8768c27f30
192 changed files with 27569 additions and 2552 deletions
Download Patch File Download Diff File Expand all files Collapse all files

281
docs/schemas/mirror-bundle.schema.json Normal file
View File

@@ -0,0 +1,281 @@
{
"$id": "https://stella.ops/schema/mirror-bundle.json",
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "MirrorBundle",
"description": "Air-gap mirror bundle format for offline operation with DSSE signature support",
"type": "object",
"required": [
"schemaVersion",
"generatedAt",
"domainId",
"exports"
],
"properties": {
"schemaVersion": {
"type": "integer",
"minimum": 1,
"description": "Bundle schema version for compatibility"
},
"generatedAt": {
"type": "string",
"format": "date-time",
"description": "ISO-8601 timestamp when bundle was generated"
},
"targetRepository": {
"type": "string",
"description": "Target OCI repository for this bundle (optional)"
},
"domainId": {
"type": "string",
"description": "Domain identifier for bundle categorization",
"examples": ["vex-advisories", "vulnerability-feeds", "policy-packs"]
},
"displayName": {
"type": "string",
"description": "Human-readable domain display name"
},
"exports": {
"type": "array",
"items": {
"$ref": "#/$defs/BundleExport"
},
"minItems": 1,
"description": "Exported data sets in this bundle"
}
},
"$defs": {
"BundleExport": {
"type": "object",
"required": [
"key",
"format",
"exportId",
"createdAt",
"artifactDigest"
],
"properties": {
"key": {
"type": "string",
"description": "Export identifier key",
"examples": ["vex-openvex-all", "vuln-critical-cve"]
},
"format": {
"type": "string",
"enum": ["openvex", "csaf", "cyclonedx", "spdx", "ndjson", "json"],
"description": "Export data format"
},
"exportId": {
"type": "string",
"format": "uuid",
"description": "Unique export execution identifier"
},
"querySignature": {
"type": "string",
"description": "Hash of query parameters used for this export"
},
"createdAt": {
"type": "string",
"format": "date-time",
"description": "When this export was created"
},
"artifactSizeBytes": {
"type": "integer",
"minimum": 0,
"description": "Size of the exported artifact in bytes"
},
"artifactDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "SHA-256 digest of the artifact"
},
"consensusRevision": {
"type": "string",
"description": "Consensus revision for VEX exports"
},
"policyRevisionId": {
"type": "string",
"description": "Policy revision ID if policy was applied"
},
"policyDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Policy content digest"
},
"consensusDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Consensus document digest"
},
"scoreDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Score document digest"
},
"sourceProviders": {
"type": "array",
"items": {
"type": "string"
},
"description": "VEX providers included in this export"
},
"attestation": {
"$ref": "#/$defs/AttestationDescriptor",
"description": "Attestation for this export if signed"
}
}
},
"AttestationDescriptor": {
"type": "object",
"required": ["predicateType"],
"properties": {
"predicateType": {
"type": "string",
"format": "uri",
"description": "in-toto predicate type URI"
},
"rekorLocation": {
"type": "string",
"format": "uri",
"description": "Sigstore Rekor transparency log entry"
},
"envelopeDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "DSSE envelope digest"
},
"signedAt": {
"type": "string",
"format": "date-time",
"description": "When the attestation was signed"
}
}
},
"BundleSignature": {
"type": "object",
"required": ["algorithm", "keyId", "signedAt"],
"properties": {
"path": {
"type": "string",
"description": "Relative path to signature file"
},
"algorithm": {
"type": "string",
"description": "Signing algorithm used",
"examples": ["ES256", "RS256", "EdDSA"]
},
"keyId": {
"type": "string",
"description": "Key identifier used for signing"
},
"provider": {
"type": "string",
"description": "Crypto provider name"
},
"signedAt": {
"type": "string",
"format": "date-time",
"description": "When the bundle was signed"
}
}
},
"BundleManifest": {
"type": "object",
"required": ["schemaVersion", "generatedAt", "domainId", "bundle"],
"description": "Domain manifest pointing to bundle and exports",
"properties": {
"schemaVersion": {
"type": "integer"
},
"generatedAt": {
"type": "string",
"format": "date-time"
},
"domainId": {
"type": "string"
},
"displayName": {
"type": "string"
},
"targetRepository": {
"type": "string"
},
"bundle": {
"$ref": "#/$defs/FileDescriptor"
},
"exports": {
"type": "array",
"items": {
"$ref": "#/$defs/ManifestExportEntry"
}
}
}
},
"FileDescriptor": {
"type": "object",
"required": ["path", "sizeBytes", "digest"],
"properties": {
"path": {
"type": "string",
"description": "Relative file path"
},
"sizeBytes": {
"type": "integer",
"minimum": 0
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"signature": {
"$ref": "#/$defs/BundleSignature"
}
}
},
"ManifestExportEntry": {
"type": "object",
"required": ["key", "format", "exportId", "createdAt", "artifactDigest"],
"properties": {
"key": { "type": "string" },
"format": { "type": "string" },
"exportId": { "type": "string" },
"querySignature": { "type": "string" },
"createdAt": { "type": "string", "format": "date-time" },
"artifactDigest": { "type": "string" },
"artifactSizeBytes": { "type": "integer" },
"consensusRevision": { "type": "string" },
"policyRevisionId": { "type": "string" },
"policyDigest": { "type": "string" },
"consensusDigest": { "type": "string" },
"scoreDigest": { "type": "string" },
"sourceProviders": { "type": "array", "items": { "type": "string" } },
"attestation": { "$ref": "#/$defs/AttestationDescriptor" }
}
}
},
"examples": [
{
"schemaVersion": 1,
"generatedAt": "2025-11-21T10:00:00Z",
"targetRepository": "oci://registry.internal/stella/mirrors",
"domainId": "vex-advisories",
"displayName": "VEX Advisories",
"exports": [
{
"key": "vex-openvex-all",
"format": "openvex",
"exportId": "550e8400-e29b-41d4-a716-446655440000",
"querySignature": "abc123def456",
"createdAt": "2025-11-21T10:00:00Z",
"artifactSizeBytes": 1048576,
"artifactDigest": "sha256:7d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aee",
"sourceProviders": ["anchore", "github", "redhat"],
"attestation": {
"predicateType": "https://stella.ops/attestation/vex-export/v1",
"signedAt": "2025-11-21T10:00:01Z",
"envelopeDigest": "sha256:8d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aef"
}
}
]
}
]
}