feat: Implement vulnerability token signing and verification utilities
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys. - Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries. - Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads. - Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options. - Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads. - Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features. - Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.
This commit is contained in:
master
48
docs/benchmarks/scanner/deep-dives/macos.md
Normal file
48
docs/benchmarks/scanner/deep-dives/macos.md
Normal file
@@ -0,0 +1,48 @@
|
||||
# macOS Package Ecosystem — Coverage Deep Dive
|
||||
|
||||
## Competitor snapshot
|
||||
- **Trivy**: Official coverage tables list only Linux distributions (Alpine/Wolfi, Debian/Ubuntu, RHEL family, SUSE, Photon, Amazon, Bottlerocket). No analyzer exists for Homebrew, Mac App Store receipts, or `.app` bundles.
|
||||
- **Grype**: Mirrors Syft catalogers that target Linux package managers; no matchers for Homebrew formulae, pkgutil receipts, or macOS frameworks.
|
||||
- **Snyk CLI**: Container and open-source scans are routed through the SaaS backend; macOS host package analysis is not advertised or documented.
|
||||
|
||||
## Proposed StellaOps roadmap
|
||||
See also: `../../modules/scanner/design/macos-analyzer.md` for the in-depth design brief.
|
||||
1. **Homebrew cellar collector**
|
||||
- Parse `/usr/local/Cellar` and `/opt/homebrew/Cellar` manifest files plus taps metadata to enumerate installed formulae/casks.
|
||||
- Normalize tap origin, version, revision, and bottle source; map to `pkg:brew/{tap}/{name}@{version}` PURLs.
|
||||
2. **System receipt inventory**
|
||||
- Use `pkgutil --pkgs --pkg-info-plist` style parsing against `/var/db/receipts/*.bom` to capture Apple installer packages and third-party pkg receipts.
|
||||
- Record CFBundleIdentifier, install timestamps, and BOM file hashes to feed deterministic provenance.
|
||||
3. **Application bundle inspection**
|
||||
- Scan `/Applications`, `/System/Applications`, and `/Users/*/Applications` for `.app` bundles.
|
||||
- Extract Info.plist data (bundle id/version), embedded frameworks, entitlements, and code signing certificates.
|
||||
4. **Policy alignment**
|
||||
- Emit capability hints (network, TCC categories) for Policy Engine gating.
|
||||
- Provide allow lists for signed Apple system components versus third-party apps.
|
||||
5. **Offline parity**
|
||||
- Mirror Homebrew tap metadata snapshots and entitlements schema inside Offline Kit.
|
||||
- Package notarization certificate bundles and CRL/OCSP cache guidance for air-gapped verification.
|
||||
|
||||
## Detection technique comparison
|
||||
| Technique | Artifacts | Merge strategy | Notes |
|
||||
| --- | --- | --- | --- |
|
||||
| Homebrew cellar parsing | Cellar manifests, `INSTALL_RECEIPT.json`, tap metadata | Produce per-formula component records keyed by tap + version; merge duplicates by canonical tap origin; attach bottle SHA256 for provenance. | Requires tap snapshot to ensure deterministic version resolution. |
|
||||
| pkgutil receipt parsing | `/var/db/receipts/*.plist` + `.bom` files | Build component entries for Apple/third-party installer packages; merge with bundle evidence when matching CFBundleIdentifier. | Provides authoritative install-time metadata including install source. |
|
||||
| `.app` bundle inspection | Info.plist, CodeResources, entitlements, embedded frameworks | Emit capability records (e.g., `tcc.camera`, `network.client`); merge with receipts when bundle id matches. | Must preserve signing chain and team identifier; store hash of CodeDirectory. |
|
||||
| Launch daemon/service mapping | `/Library/LaunchDaemons`, `/Library/LaunchAgents`, `launchctl print` exports | (Planned) Attach runtime usage hints for Policy Engine and EntryTrace cross-module alignment. | Helps differentiate dormant apps from active services. |
|
||||
| Competitor baseline | — | No competitor evidence to merge; Trivy/Grype/Snyk lack macOS analyzers. | Presents differentiation opportunity once demand justifies investment. |
|
||||
|
||||
## Backlog / coordination
|
||||
- Keep demand capture in `docs/benchmarks/scanner/windows-macos-demand.md` up to date; once thresholds are met, open:
|
||||
- `SCANNER-ENG-00xx` (macOS cellar/receipt analyzer design spike).
|
||||
- `DOCS-SCANNER-BENCH-62-002` (this doc’s parent task) — exit criteria: demand summary + design scope recommendation.
|
||||
- Policy task to define macOS capability predicates (entitlements, notarization state).
|
||||
- Align with Offline Kit guild on notarization/CRL packaging and tap mirroring strategy.
|
||||
|
||||
## Open design questions
|
||||
| Topic | Question | Owner |
|
||||
| --- | --- | --- |
|
||||
| Notarization verification | Should scanner verify Apple notarization tickets or delegate to Policy Engine? | Security Guild |
|
||||
| Entitlement taxonomy | How granular should capability predicates be (per entitlement vs grouped categories)? | Policy Guild |
|
||||
| User-space scope | Do we scan per-user Homebrew installs and sandboxed app containers? | Scanner Guild |
|
||||
| Performance | Do we cache receipts/bundle metadata between scans given large `.app` trees? | Scanner + Surface Guilds |
|
||||
Reference in New Issue
Block a user