stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Implemented PolicyDslValidator with command-line options for strict mode and JSON output.
- Created PolicySchemaExporter to generate JSON schemas for policy-related models.
- Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes.
- Added project files and necessary dependencies for each tool.
- Ensured proper error handling and usage instructions across tools.
This commit is contained in:
master
2025-10-27 08:00:11 +02:00
parent 651b8e0fa3
commit 96d52884e8
712 changed files with 49449 additions and 6124 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
samples/api/scheduler/graph-build-job.json Normal file
View File

@@ -0,0 +1,19 @@
{
"schemaVersion": "scheduler.graph-build-job@1",
"id": "gbj_20251026a",
"tenantId": "tenant-alpha",
"sbomId": "sbom_20251026",
"sbomVersionId": "sbom_ver_20251026",
"sbomDigest": "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
"graphSnapshotId": "graph_snap_20251026",
"status": "running",
"trigger": "sbom-version",
"attempts": 1,
"cartographerJobId": "carto_job_42",
"correlationId": "evt_svc_987",
"createdAt": "2025-10-26T12:00:00+00:00",
"startedAt": "2025-10-26T12:00:05+00:00",
"metadata": {
"sbomEventId": "sbom_evt_20251026"
}
}

21
samples/api/scheduler/graph-overlay-job.json Normal file
View File

@@ -0,0 +1,21 @@
{
"schemaVersion": "scheduler.graph-overlay-job@1",
"id": "goj_20251026a",
"tenantId": "tenant-alpha",
"graphSnapshotId": "graph_snap_20251026",
"buildJobId": "gbj_20251026a",
"overlayKind": "policy",
"overlayKey": "policy@2025-10-01",
"subjects": [
"artifact:service-api",
"artifact:service-worker"
],
"status": "queued",
"trigger": "policy",
"attempts": 0,
"correlationId": "policy_run_321",
"createdAt": "2025-10-26T12:05:00+00:00",
"metadata": {
"policyRunId": "policy_run_321"
}
}

31
samples/api/scheduler/policy-diff-summary.json Normal file
View File

@@ -0,0 +1,31 @@
{
"schemaVersion": "scheduler.policy-diff-summary@1",
"added": 12,
"removed": 8,
"unchanged": 657,
"bySeverity": {
"critical": {
"up": 1
},
"high": {
"up": 3,
"down": 4
},
"medium": {
"up": 2,
"down": 1
}
},
"ruleHits": [
{
"ruleId": "rule-block-critical",
"ruleName": "Block Critical Findings",
"up": 1
},
{
"ruleId": "rule-quiet-low",
"ruleName": "Quiet Low Risk",
"down": 2
}
]
}

83
samples/api/scheduler/policy-explain-trace.json Normal file
View File

@@ -0,0 +1,83 @@
{
"schemaVersion": "scheduler.policy-explain-trace@1",
"findingId": "finding:sbom:S-42/pkg:npm/lodash@4.17.21",
"policyId": "P-7",
"policyVersion": 4,
"tenantId": "default",
"runId": "run:P-7:2025-10-26:auto",
"evaluatedAt": "2025-10-26T14:06:01+00:00",
"verdict": {
"status": "blocked",
"severity": "critical",
"score": 19.5,
"rationale": "Matches rule-block-critical"
},
"ruleChain": [
{
"ruleId": "rule-allow-known",
"ruleName": "Allow Known Vendors",
"action": "allow",
"decision": "skipped",
"condition": "when vendor == \"trusted\""
},
{
"ruleId": "rule-block-critical",
"ruleName": "Block Critical Findings",
"action": "block",
"decision": "matched",
"score": 19.5,
"condition": "when severity >= Critical"
}
],
"evidence": [
{
"type": "advisory",
"reference": "CVE-2025-12345",
"source": "nvd",
"status": "affected",
"weight": 1,
"justification": "Vendor advisory",
"metadata": {}
},
{
"type": "vex",
"reference": "vex:ghsa-2025-0001",
"source": "vendor",
"status": "not_affected",
"weight": 0.5,
"justification": "Runtime unreachable",
"metadata": {
"justificationid": "csaf:justification/123"
}
}
],
"vexImpacts": [
{
"statementId": "vex:ghsa-2025-0001",
"provider": "vendor",
"status": "not_affected",
"accepted": true,
"justification": "Runtime unreachable",
"confidence": "medium"
}
],
"history": [
{
"status": "blocked",
"occurredAt": "2025-10-26T14:06:01+00:00",
"actor": "policy-engine",
"note": "Initial evaluation"
},
{
"status": "blocked",
"occurredAt": "2025-10-26T14:16:01+00:00",
"actor": "policy-engine",
"note": "Replay verification"
}
],
"metadata": {
"componentpurl": "pkg:npm/lodash@4.17.21",
"sbomid": "sbom:S-42",
"traceid": "01HE0BJX5S4T9YCN6ZT0"
}
}

29
samples/api/scheduler/policy-run-request.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schemaVersion": "scheduler.policy-run-request@1",
"tenantId": "default",
"policyId": "P-7",
"policyVersion": 4,
"mode": "incremental",
"priority": "normal",
"runId": "run:P-7:2025-10-26:auto",
"queuedAt": "2025-10-26T14:05:00+00:00",
"requestedBy": "user:cli",
"correlationId": "req-20251026T140500Z",
"metadata": {
"source": "stella policy run",
"trigger": "cli"
},
"inputs": {
"sbomSet": [
"sbom:S-318",
"sbom:S-42"
],
"advisoryCursor": "2025-10-26T13:59:00+00:00",
"vexCursor": "2025-10-26T13:58:30+00:00",
"environment": {
"exposure": "internet",
"sealed": false
},
"captureExplain": true
}
}

41
samples/api/scheduler/policy-run-status.json Normal file
View File

@@ -0,0 +1,41 @@
{
"schemaVersion": "scheduler.policy-run-status@1",
"runId": "run:P-7:2025-10-26:auto",
"tenantId": "default",
"policyId": "P-7",
"policyVersion": 4,
"mode": "incremental",
"status": "succeeded",
"priority": "normal",
"queuedAt": "2025-10-26T14:05:00+00:00",
"startedAt": "2025-10-26T14:05:11+00:00",
"finishedAt": "2025-10-26T14:06:01+00:00",
"determinismHash": "sha256:e3c2b2f3b1aa4567890abcdef1234567890abcdef1234567890abcdef123456",
"traceId": "01HE0BJX5S4T9YCN6ZT0",
"explainUri": "blob://policy/P-7/runs/2025-10-26T14-06-01Z.json",
"metadata": {
"orchestrator": "scheduler",
"sbombatchhash": "sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
},
"stats": {
"components": 1742,
"rulesFired": 68023,
"findingsWritten": 4321,
"vexOverrides": 210,
"quieted": 12,
"durationSeconds": 50.8
},
"inputs": {
"sbomSet": [
"sbom:S-318",
"sbom:S-42"
],
"advisoryCursor": "2025-10-26T13:59:00+00:00",
"vexCursor": "2025-10-26T13:58:30+00:00",
"environment": {
"exposure": "internet",
"sealed": false
},
"captureExplain": true
}
}

101
samples/api/scheduler/run-summary.json Normal file
View File

@@ -0,0 +1,101 @@
{
"tenantId": "tenant-alpha",
"scheduleId": "sch_20251018a",
"updatedAt": "2025-10-18T22:10:10Z",
"lastRun": {
"runId": "run_20251018_0001",
"trigger": "feedser",
"state": "completed",
"createdAt": "2025-10-18T22:03:14Z",
"startedAt": "2025-10-18T22:03:20Z",
"finishedAt": "2025-10-18T22:08:45Z",
"stats": {
"candidates": 1280,
"deduped": 910,
"queued": 0,
"completed": 910,
"deltas": 42,
"newCriticals": 7,
"newHigh": 11,
"newMedium": 18,
"newLow": 6
},
"error": null
},
"recent": [
{
"runId": "run_20251018_0001",
"trigger": "feedser",
"state": "completed",
"createdAt": "2025-10-18T22:03:14Z",
"startedAt": "2025-10-18T22:03:20Z",
"finishedAt": "2025-10-18T22:08:45Z",
"stats": {
"candidates": 1280,
"deduped": 910,
"queued": 0,
"completed": 910,
"deltas": 42,
"newCriticals": 7,
"newHigh": 11,
"newMedium": 18,
"newLow": 6
},
"error": null
},
{
"runId": "run_20251017_0003",
"trigger": "cron",
"state": "error",
"createdAt": "2025-10-17T22:01:02Z",
"startedAt": "2025-10-17T22:01:08Z",
"finishedAt": "2025-10-17T22:04:11Z",
"stats": {
"candidates": 1040,
"deduped": 812,
"queued": 0,
"completed": 640,
"deltas": 18,
"newCriticals": 2,
"newHigh": 4,
"newMedium": 7,
"newLow": 3
},
"error": "scanner timeout"
},
{
"runId": "run_20251016_0007",
"trigger": "manual",
"state": "cancelled",
"createdAt": "2025-10-16T20:00:00Z",
"startedAt": "2025-10-16T20:00:04Z",
"finishedAt": null,
"stats": {
"candidates": 820,
"deduped": 640,
"queued": 0,
"completed": 0,
"deltas": 0,
"newCriticals": 0,
"newHigh": 0,
"newMedium": 0,
"newLow": 0
},
"error": null
}
],
"counters": {
"total": 3,
"planning": 0,
"queued": 0,
"running": 0,
"completed": 1,
"error": 1,
"cancelled": 1,
"totalDeltas": 60,
"totalNewCriticals": 9,
"totalNewHigh": 15,
"totalNewMedium": 25,
"totalNewLow": 9
}
}