stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

consolidation of some of the modules, localization fixes, product advisories work, qa work

Browse Source
This commit is contained in:
master
2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
docs/technical/architecture/module-matrix.md
View File

@@ -33,69 +33,58 @@ The solution contains **46 top-level modules** in `src/`. The architecture docum
## 2. Complete Module Inventory
### Core Platform (4 modules)
### Core Platform (3 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **Authority** | `src/Authority/` | Authentication, authorization, OAuth/OIDC, DPoP, tenant management | Yes | No | PostgreSQL (`authority`) |
| **Gateway** | `src/Gateway/` | API gateway with routing, TLS termination, transport abstraction | Yes | No | Stateless |
| **Router** | `src/Router/` | Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey) | Yes | No | Valkey |
| **Authority** | `src/Authority/` | Authentication, authorization, OAuth/OIDC, DPoP, tenant management. Includes IssuerDirectory (Sprint 216). | Yes | No | PostgreSQL (`authority`) |
| **Router** | `src/Router/` | Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey) and HTTP ingress gateway. `src/Gateway/` deleted (Sprint 200). | Yes | No | Valkey |
| **Platform** | `src/Platform/` | Platform Service aggregation APIs, console data composition | Yes | No | Aggregates |
### Data Ingestion (7 modules)
### Data Ingestion (4 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **Concelier** | `src/Concelier/` | Vulnerability advisory ingestion (NVD, OSV, GHSA, CSAF), merge engine with AOC | Yes | Yes | PostgreSQL (`vuln`) |
| **Excititor** | `src/Excititor/` | VEX document ingestion and export (OpenVEX, CSAF VEX) | Yes | Yes | PostgreSQL (`vex`) |
| **Concelier** | `src/Concelier/` | Vulnerability advisory ingestion (NVD, OSV, GHSA, CSAF), merge engine with AOC. Includes Feedser and Excititor (Sprint 203). | Yes | Yes | PostgreSQL (`vuln`, `vex`) |
| **VexLens** | `src/VexLens/` | VEX consensus computation across issuers, conflict analysis | Yes | No | PostgreSQL (cache) |
| **VexHub** | `src/VexHub/` | VEX distribution and exchange hub | Yes | No | PostgreSQL |
| **IssuerDirectory** | `src/IssuerDirectory/` | Issuer trust registry for CSAF publishers | Yes | No | PostgreSQL |
| **Feedser** | `src/Feedser/` | Evidence collection library for backport detection | Library | N/A | N/A |
| **Mirror** | `src/Mirror/` | Vulnerability feed mirror and distribution | Yes | Yes | RustFS |
### Scanning & Analysis (5 modules)
### Scanning & Analysis (4 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **Scanner** | `src/Scanner/` | Container scanning with SBOM generation (11 language analyzers), call graphs | Yes | Yes | PostgreSQL (`scanner`) + RustFS |
| **BinaryIndex** | `src/BinaryIndex/` | Binary identity extraction and fingerprinting | Yes | No | PostgreSQL |
| **AdvisoryAI** | `src/AdvisoryAI/` | AI-assisted advisory analysis and summarization | Yes | No | PostgreSQL |
| **Symbols** | `src/Symbols/` | Symbol resolution and debug information | Yes | No | PostgreSQL |
| **Scanner** | `src/Scanner/` | Container scanning with SBOM generation (11 language analyzers), call graphs. Includes Cartographer (Sprint 201). | Yes | Yes | PostgreSQL (`scanner`) + RustFS |
| **BinaryIndex** | `src/BinaryIndex/` | Binary identity extraction and fingerprinting. Includes Symbols (Sprint 202). | Yes | No | PostgreSQL |
| **AdvisoryAI** | `src/AdvisoryAI/` | AI-assisted advisory analysis and summarization. Includes OpsMemory (Sprint 213). | Yes | No | PostgreSQL |
| **ReachGraph** | `src/ReachGraph/` | Reachability graph service, CVE reachability analysis | Yes | No | PostgreSQL |
### Artifacts & Evidence (7 modules)
### Artifacts & Evidence (5 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **Attestor** | `src/Attestor/` | in-toto/DSSE attestation generation, Rekor v2 integration | Yes | No | PostgreSQL + RustFS |
| **Signer** | `src/Signer/` | Cryptographic signing operations (PKIX, DSSE) | Yes | No | PostgreSQL |
| **Attestor** | `src/Attestor/` | in-toto/DSSE attestation generation, Rekor v2 integration. Includes Signer and Provenance (Sprint 204). | Yes | No | PostgreSQL + RustFS |
| **SbomService** | `src/SbomService/` | SBOM storage, versioning, and lineage ledger | Yes | No | PostgreSQL + RustFS |
| **EvidenceLocker** | `src/EvidenceLocker/` | Sealed evidence storage and export | Yes | No | RustFS |
| **ExportCenter** | `src/ExportCenter/` | Batch export and report generation (SARIF, SBOM, evidence bundles) | Yes | No | RustFS |
| **Provenance** | `src/Provenance/` | SLSA/DSSE attestation tooling | Library | N/A | N/A |
| **Provcache** | Library | Provenance cache utilities | Library | N/A | N/A |
### Policy & Risk (4 modules)
### Policy & Risk (3 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **Policy** | `src/Policy/` | Policy engine with K4 lattice logic, confidence scoring, VEX emission | Yes | Yes | PostgreSQL (`policy`) |
| **RiskEngine** | `src/RiskEngine/` | Risk scoring runtime with pluggable providers | Yes | No | PostgreSQL |
| **VulnExplorer** | `src/VulnExplorer/` | Vulnerability exploration and triage UI backend | Yes | No | PostgreSQL (cache) |
| **Unknowns** | `src/Unknowns/` | Unknown component and symbol tracking registry | Yes | No | PostgreSQL |
| **Unknowns** | `src/Unknowns/` | Unknown component and symbol tracking registry (boundary preserved, Sprint 206) | Yes | No | PostgreSQL |
| **Findings** | `src/Findings/` | Centralized findings aggregation. Includes RiskEngine and VulnExplorer (Sprint 207). | Yes | No | PostgreSQL |
### Operations (8 modules)
### Operations (5 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **Scheduler** | `src/Scheduler/` | Job scheduling and queue management, cron-based rescan | Yes | No | PostgreSQL (`scheduler`) |
| **Orchestrator** | `src/Orchestrator/` | Workflow orchestration and task coordination | Yes | No | PostgreSQL (`orchestrator`) |
| **TaskRunner** | `src/TaskRunner/` | Task pack execution engine | Yes | Yes | PostgreSQL |
| **Notify** | `src/Notify/` | Notification toolkit (Email, Slack, Teams, Webhooks) - shared libraries | Library | N/A | N/A |
| **Notifier** | `src/Notifier/` | Notifications Studio host (WebService + Worker) | Yes | Yes | PostgreSQL (`notify`) |
| **PacksRegistry** | `src/PacksRegistry/` | Task packs registry and distribution | Yes | No | PostgreSQL |
| **TimelineIndexer** | `src/TimelineIndexer/` | Timeline event indexing for audit trails | Yes | No | PostgreSQL |
| **JobEngine** | `src/JobEngine/` | Workflow orchestration, scheduling, task execution, pack registry. Includes Scheduler, TaskRunner, PacksRegistry (Sprint 208); renamed from Orchestrator (Sprint 221). | Yes | Yes | PostgreSQL (`orchestrator`, `scheduler`) |
| **Notify** | `src/Notify/` | Notification toolkit (Email, Slack, Teams, Webhooks) - shared libraries. Boundary preserved with Notifier (Sprint 209). | Library | N/A | N/A |
| **Notifier** | `src/Notifier/` | Notifications Studio host (WebService + Worker). Boundary preserved with Notify (Sprint 209). | Yes | Yes | PostgreSQL (`notify`) |
| **Timeline** | `src/Timeline/` | Timeline query, event indexing, and replay. Includes TimelineIndexer (Sprint 210). | Yes | No | PostgreSQL |
| **Replay** | `src/Replay/` | Deterministic replay engine | Yes | No | PostgreSQL |
### Integration (5 modules)
@@ -126,16 +115,14 @@ The solution contains **46 top-level modules** in `src/`. The architecture docum
| **Benchmark** | Scanner library | Competitive benchmarking (accuracy comparison) | Tool | N/A | N/A |
| **Bench** | `src/Bench/` | Performance benchmarks | Tool | N/A | N/A |
### Utility & Internal (6+ modules)
### Utility & Internal (4+ modules)
| Module | Path | Purpose | Notes |
|--------|------|---------|-------|
| **Cartographer** | `src/Cartographer/` | Identity graphs from SBOM/advisory data | Feeds Graph Explorer |
| **Findings** | `src/Findings/` | Materializes effective findings from Policy outputs | Feeds UI/CLI/Notify |
| **SrmRemote** | `src/SrmRemote/` | SBOM remote operations | Integration utility |
| **Tools** | `src/Tools/` | Utility programs (fixture generators, migration scripts) | Dev tooling |
| **Findings** | `src/Findings/` | Materializes effective findings from Policy outputs. Includes RiskEngine and VulnExplorer (Sprint 207). | Feeds UI/CLI/Notify |
| **SmRemote** | `src/SmRemote/` | Remote SM2/SM3/SM4 cryptographic operations | Integration utility |
| **Tools** | `src/Tools/` | Utility programs (fixture generators, migration scripts). Includes Bench, Verifier, Sdk, DevPortal (Sprint 212). | Dev tooling |
| **PluginBinaries** | Various | Authority and Concelier plugin binaries | Plugin hosting |
| **DevPortal** | `src/DevPortal/` | Developer onboarding portal | Documentation |
---