stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

notify doctors work, audit work, new product advisory sprints

Browse Source
This commit is contained in:
master
2026-01-13 08:36:29 +02:00
parent b8868a5f13
commit 9ca7cb183e
343 changed files with 24492 additions and 3544 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Program.cs
View File

@@ -93,7 +93,7 @@ internal static class Program
var result = await casClient.VerifyWriteAsync(cancellationToken).ConfigureAwait(false);
Console.WriteLine($"handshake ok: {manifest.Id}@{manifest.Version} {result.Algorithm}:{result.Digest}");
Console.WriteLine($"handshake ok: {manifest.Id}@{manifest.Version} -> {result.Algorithm}:{result.Digest}");
Console.WriteLine(result.Path);
return 0;
}
@@ -260,8 +260,9 @@ internal static class Program
if (attestorUri is not null)
{
using var httpClient = CreateAttestorHttpClient(attestorUri, attestorToken, attestorInsecure);
var attestorClient = new AttestorClient(httpClient);
var allowInsecure = attestorInsecure && ShouldAllowInsecureAttestor(attestorUri);
using var attestorScope = CreateAttestorHttpClientScope(attestorUri, attestorToken, allowInsecure);
var attestorClient = new AttestorClient(attestorScope.Client);
await attestorClient.SendPlaceholderAsync(attestorUri, document, cancellationToken).ConfigureAwait(false);
}
@@ -340,7 +341,7 @@ internal static class Program
?? generatorVersion;
var workerInstance = GetOption(args, "--surface-worker-instance")
?? Environment.GetEnvironmentVariable("STELLAOPS_SURFACE_WORKER_INSTANCE")
?? Environment.MachineName;
?? component;
var attemptValue = GetOption(args, "--surface-attempt")
?? Environment.GetEnvironmentVariable("STELLAOPS_SURFACE_ATTEMPT");
var attempt = 1;
@@ -445,7 +446,7 @@ internal static class Program
Component: "Scanner.BuildXPlugin",
SecretType: "attestation");
using var handle = secretProvider.GetAsync(request).AsTask().GetAwaiter().GetResult();
using var handle = secretProvider.Get(request);
var secret = SurfaceSecretParser.ParseAttestationSecret(handle);
// Return the API key or token for attestor authentication
@@ -498,7 +499,7 @@ internal static class Program
Component: "Scanner.BuildXPlugin",
SecretType: "cas-access");
using var handle = secretProvider.GetAsync(request).AsTask().GetAwaiter().GetResult();
using var handle = secretProvider.Get(request);
return SurfaceSecretParser.ParseCasAccessSecret(handle);
}
catch
@@ -556,31 +557,71 @@ internal static class Program
return value;
}
private static HttpClient CreateAttestorHttpClient(Uri attestorUri, string? bearerToken, bool insecure)
private static bool ShouldAllowInsecureAttestor(Uri attestorUri)
{
var handler = new HttpClientHandler
if (!string.Equals(attestorUri.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))
{
CheckCertificateRevocationList = true,
};
Console.Error.WriteLine("Attestor insecure flag ignored for non-HTTPS endpoint.");
return false;
}
if (insecure && string.Equals(attestorUri.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))
{
Console.Error.WriteLine("WARNING: Attestor TLS verification disabled; use only for dev/test.");
return true;
}
private static AttestorHttpClientScope CreateAttestorHttpClientScope(Uri attestorUri, string? bearerToken, bool insecure)
{
var services = new ServiceCollection();
services.AddHttpClient("attestor", client =>
{
client.Timeout = TimeSpan.FromSeconds(30);
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
if (!string.IsNullOrWhiteSpace(bearerToken))
{
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", bearerToken);
}
})
.ConfigurePrimaryHttpMessageHandler(() =>
{
var handler = new HttpClientHandler
{
CheckCertificateRevocationList = true
};
if (insecure && string.Equals(attestorUri.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))
{
#pragma warning disable S4830 // Explicitly gated by --attestor-insecure flag/env for dev/test usage.
handler.ServerCertificateCustomValidationCallback = (_, _, _, _) => true;
handler.ServerCertificateCustomValidationCallback = (_, _, _, _) => true;
#pragma warning restore S4830
}
return handler;
});
var provider = services.BuildServiceProvider();
var factory = provider.GetRequiredService<IHttpClientFactory>();
var client = factory.CreateClient("attestor");
return new AttestorHttpClientScope(provider, client);
}
private sealed class AttestorHttpClientScope : IDisposable
{
private readonly ServiceProvider _provider;
public AttestorHttpClientScope(ServiceProvider provider, HttpClient client)
{
_provider = provider ?? throw new ArgumentNullException(nameof(provider));
Client = client ?? throw new ArgumentNullException(nameof(client));
}
var client = new HttpClient(handler, disposeHandler: true)
{
Timeout = TimeSpan.FromSeconds(30)
};
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
public HttpClient Client { get; }
if (!string.IsNullOrWhiteSpace(bearerToken))
public void Dispose()
{
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", bearerToken);
Client.Dispose();
_provider.Dispose();
}
return client;
}
}

2
src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj
View File

@@ -21,11 +21,13 @@
<ItemGroup>
<ProjectReference Include="..\\..\\__Libraries\\StellaOps.Plugin\\StellaOps.Plugin.csproj" />
<ProjectReference Include="..\\..\\__Libraries\\StellaOps.Canonical.Json\\StellaOps.Canonical.Json.csproj" />
<ProjectReference Include="..\\__Libraries\\StellaOps.Scanner.Surface.FS\\StellaOps.Scanner.Surface.FS.csproj" />
<ProjectReference Include="..\\__Libraries\\StellaOps.Scanner.Surface.Secrets\\StellaOps.Scanner.Surface.Secrets.csproj" />
<ProjectReference Include="..\\__Libraries\\StellaOps.Scanner.Surface.Env\\StellaOps.Scanner.Surface.Env.csproj" />
<PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection" />
<PackageReference Include="Microsoft.Extensions.Http" />
<PackageReference Include="Microsoft.Extensions.Logging" />
</ItemGroup>
</Project>

9
src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/Surface/SurfaceManifestWriter.cs
View File

@@ -2,10 +2,12 @@ using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using System.IO;
using System.Text.Encodings.Web;
using System.Text.Json;
using System.Text.Json.Serialization;
using System.Threading;
using System.Threading.Tasks;
using StellaOps.Canonical.Json;
using StellaOps.Cryptography;
using StellaOps.Scanner.Surface.FS;
@@ -16,7 +18,8 @@ internal sealed class SurfaceManifestWriter
private static readonly JsonSerializerOptions ManifestSerializerOptions = new(JsonSerializerDefaults.Web)
{
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
WriteIndented = false
WriteIndented = false,
Encoder = JavaScriptEncoder.Default
};
private readonly TimeProvider _timeProvider;
@@ -54,7 +57,7 @@ internal sealed class SurfaceManifestWriter
? null
: options.ComponentVersion.Trim();
var workerInstance = string.IsNullOrWhiteSpace(options.WorkerInstance)
? Environment.MachineName
? component
: options.WorkerInstance.Trim();
var attempt = options.Attempt <= 0 ? 1 : options.Attempt;
var scanId = string.IsNullOrWhiteSpace(options.ScanId)
@@ -129,7 +132,7 @@ internal sealed class SurfaceManifestWriter
Artifacts = orderedArtifacts
};
var manifestBytes = JsonSerializer.SerializeToUtf8Bytes(manifestDocument, ManifestSerializerOptions);
var manifestBytes = CanonJson.Canonicalize(manifestDocument, ManifestSerializerOptions);
var manifestDigest = SurfaceCasLayout.ComputeDigest(_hash, manifestBytes);
var manifestKey = SurfaceCasLayout.BuildObjectKey(rootPrefix, SurfaceCasKind.Manifest, manifestDigest);
var manifestPath = await SurfaceCasLayout.WriteBytesAsync(cacheRoot, manifestKey, manifestBytes, cancellationToken).ConfigureAwait(false);