stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Refactor code structure and optimize performance across multiple modules

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-26 20:03:22 +02:00
parent c786faae84
commit b4fc66feb6
3353 changed files with 88254 additions and 1590657 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/__Tests/__Datasets/seed-data/analyzers/ruby/git-sources/Gemfile Normal file
View File

@@ -0,0 +1,12 @@
source "https://rubygems.org"
git "https://github.com/example/git-gem.git", branch: "main" do
gem "git-gem"
end
gem "httparty", "~> 0.21.0"
path "../vendor/path-gem" do
gem "path-gem", "~> 2.1"
end

31
src/__Tests/__Datasets/seed-data/analyzers/ruby/git-sources/Gemfile.lock Normal file
View File

@@ -0,0 +1,31 @@
GIT
remote: https://github.com/example/git-gem.git
revision: 0123456789abcdef0123456789abcdef01234567
branch: main
specs:
git-gem (0.5.0)
PATH
remote: vendor/plugins/path-gem
specs:
path-gem (2.1.3)
rake (~> 13.0)
GEM
remote: https://rubygems.org/
specs:
httparty (0.21.0)
multi_xml (~> 0.5)
multi_xml (0.6.0)
rake (13.1.0)
PLATFORMS
ruby
DEPENDENCIES
git-gem!
httparty (~> 0.21.0)
path-gem (~> 2.1)!
BUNDLED WITH
2.5.10

7
src/__Tests/__Datasets/seed-data/analyzers/ruby/git-sources/app/main.rb Normal file
View File

@@ -0,0 +1,7 @@
require "git-gem"
require "path-gem"
require "httparty"
puts GitGem.version
puts PathGem::Runner.new.perform
puts HTTParty.get("https://example.invalid")

130
src/__Tests/__Datasets/seed-data/analyzers/ruby/git-sources/expected.json Normal file
View File

@@ -0,0 +1,130 @@
[
{
"analyzerId": "ruby",
"componentKey": "purl::pkg:gem/git-gem@0.5.0",
"purl": "pkg:gem/git-gem@0.5.0",
"name": "git-gem",
"version": "0.5.0",
"type": "gem",
"usedByEntrypoint": true,
"metadata": {
"capability.net": "true",
"declaredOnly": "true",
"groups": "default",
"lockfile": "Gemfile.lock",
"runtime.entrypoints": "app/main.rb",
"runtime.files": "app/main.rb",
"runtime.reasons": "require-static",
"runtime.used": "true",
"source": "git:https://github.com/example/git-gem.git@0123456789abcdef0123456789abcdef01234567"
},
"evidence": [
{
"kind": "file",
"source": "Gemfile.lock",
"locator": "Gemfile.lock"
}
]
},
{
"analyzerId": "ruby",
"componentKey": "purl::pkg:gem/httparty@0.21.0",
"purl": "pkg:gem/httparty@0.21.0",
"name": "httparty",
"version": "0.21.0",
"type": "gem",
"usedByEntrypoint": true,
"metadata": {
"capability.net": "true",
"declaredOnly": "true",
"groups": "default",
"lockfile": "Gemfile.lock",
"runtime.entrypoints": "app/main.rb",
"runtime.files": "app/main.rb",
"runtime.reasons": "require-static",
"runtime.used": "true",
"source": "https://rubygems.org/"
},
"evidence": [
{
"kind": "file",
"source": "Gemfile.lock",
"locator": "Gemfile.lock"
}
]
},
{
"analyzerId": "ruby",
"componentKey": "purl::pkg:gem/multi_xml@0.6.0",
"purl": "pkg:gem/multi_xml@0.6.0",
"name": "multi_xml",
"version": "0.6.0",
"type": "gem",
"usedByEntrypoint": false,
"metadata": {
"capability.net": "true",
"declaredOnly": "true",
"groups": "default",
"lockfile": "Gemfile.lock",
"source": "https://rubygems.org/"
},
"evidence": [
{
"kind": "file",
"source": "Gemfile.lock",
"locator": "Gemfile.lock"
}
]
},
{
"analyzerId": "ruby",
"componentKey": "purl::pkg:gem/path-gem@2.1.3",
"purl": "pkg:gem/path-gem@2.1.3",
"name": "path-gem",
"version": "2.1.3",
"type": "gem",
"usedByEntrypoint": true,
"metadata": {
"artifact": "vendor/cache/path-gem-2.1.3.gem",
"capability.net": "true",
"declaredOnly": "false",
"groups": "default",
"lockfile": "Gemfile.lock",
"runtime.entrypoints": "app/main.rb",
"runtime.files": "app/main.rb",
"runtime.reasons": "require-static",
"runtime.used": "true",
"source": "vendor-cache"
},
"evidence": [
{
"kind": "file",
"source": "path-gem-2.1.3.gem",
"locator": "vendor/cache/path-gem-2.1.3.gem"
}
]
},
{
"analyzerId": "ruby",
"componentKey": "purl::pkg:gem/rake@13.1.0",
"purl": "pkg:gem/rake@13.1.0",
"name": "rake",
"version": "13.1.0",
"type": "gem",
"usedByEntrypoint": false,
"metadata": {
"capability.net": "true",
"declaredOnly": "true",
"groups": "default",
"lockfile": "Gemfile.lock",
"source": "https://rubygems.org/"
},
"evidence": [
{
"kind": "file",
"source": "Gemfile.lock",
"locator": "Gemfile.lock"
}
]
}
]

0
src/__Tests/__Datasets/seed-data/analyzers/ruby/git-sources/vendor/cache/path-gem-2.1.3.gem vendored Normal file
View File

1
src/__Tests/__Datasets/seed-data/analyzers/ruby/git-sources/vendor/plugins/path-gem/.keep vendored Normal file
View File

@@ -0,0 +1 @@

52
src/__Tests/__Datasets/seed-data/cert-bund/README.md Normal file
View File

@@ -0,0 +1,52 @@
# CERT-Bund Offline Kit Seed Data
This directory stores **offline snapshots** for the CERT-Bund connector.
The artefacts mirror the public JSON search and export endpoints so
airgapped deployments can hydrate the connector without contacting the
portal.
> ⚠️ **Distribution notice** CERT-Bund advisories are published by BSI
> (Federal Office for Information Security, Germany). Review the portal
> terms of use before redistributing the snapshots. Always keep the JSON
> payloads and accompanying SHA-256 sums together.
## Recommended layout
```
seed-data/cert-bund/
├── search/ # paginated search JSON files
│   ├── certbund-search-page-00.json
│   └── …
├── export/ # yearly export JSON files
│   ├── certbund-export-2014.json
│   └── …
├── manifest/
│   └── certbund-offline-manifest.json
└── certbund-offline-manifest.sha256
```
Use `certbund-offline-manifest.json` to feed the Offline Kit build: every
entry contains `source`, `from`, `to`, `sha256`, `capturedAt`, and the
relative file path. The manifest is deterministic when regenerated with
the tooling described below.
## Tooling
Run the helper under `src/Tools/` to capture fresh snapshots or regenerate
the manifest:
```
python src/Tools/certbund_offline_snapshot.py --output seed-data/cert-bund
```
See the connector operations guide
(`docs/modules/concelier/operations/connectors/certbund.md`) for detailed usage,
including how to provide cookies/tokens when the portal requires manual
authentication.
## Git hygiene
- JSON payloads and checksums are **ignored by Git**. Generate them
locally when preparing an Offline Kit bundle.
- Commit documentation, scripts, and manifest templates only never the
exported advisory data itself.

3
src/__Tests/__Datasets/seed-data/concelier/store-aoc-19-005/advisory_chunks.ndjson Normal file
View File

@@ -0,0 +1,3 @@
{"_id":"obs-nvd-0001","tenant":"demo","advisoryId":"ADV-2025-0001","provider":"nvd","source":"https://nvd.nist.gov/vuln/detail/CVE-2025-1000","ingestedAt":"2025-11-12T00:00:00Z","chunk":{"vulnerabilityId":"CVE-2025-1000","status":"affected","description":"Example advisory text","severity":"high","references":["https://example.org/advisory/CVE-2025-1000"]}}
{"_id":"obs-ghsa-0001","tenant":"demo","advisoryId":"ADV-2025-0002","provider":"ghsa","source":"https://github.com/advisories/GHSA-aaaa-bbbb-cccc","ingestedAt":"2025-11-12T00:00:00Z","chunk":{"vulnerabilityId":"CVE-2025-1000","status":"not_affected","justification":"component_not_present","notes":"GHSA reports false positive for this package version","references":["https://github.com/org/repo/security/advisories/GHSA-aaaa-bbbb-cccc"]}}
{"_id":"obs-osv-0001","tenant":"demo","advisoryId":"ADV-2025-0003","provider":"osv","source":"https://osv.dev/vulnerability/OSV-2025-0003","ingestedAt":"2025-11-12T00:00:00Z","chunk":{"vulnerabilityId":"CVE-2025-2000","status":"under_investigation","references":["https://osv.dev/vulnerability/OSV-2025-0003"]}}

2
src/__Tests/__Datasets/seed-data/concelier/store-aoc-19-005/linksets.ndjson Normal file
View File

@@ -0,0 +1,2 @@
{"_id":"lnm-linkset-0001","tenant":"demo","linksetId":"CVE-2025-1000:pkg:maven/org.example/app@1.2.3","vulnerabilityId":"CVE-2025-1000","purl":"pkg:maven/org.example/app@1.2.3","statuses":["affected","not_affected"],"providers":["nvd","ghsa"],"conflicts":[{"providerId":"nvd","status":"affected"},{"providerId":"ghsa","status":"not_affected","justification":"component_not_present"}],"observations":["obs-nvd-0001","obs-ghsa-0001"],"createdAt":"2025-11-12T00:00:00Z"}
{"_id":"lnm-linkset-0002","tenant":"demo","linksetId":"CVE-2025-2000:pkg:npm/example/app@4.5.6","vulnerabilityId":"CVE-2025-2000","purl":"pkg:npm/example/app@4.5.6","statuses":["under_investigation"],"providers":["osv"],"conflicts":[],"observations":["obs-osv-0001"],"createdAt":"2025-11-12T00:00:00Z"}

72
src/__Tests/__Datasets/seed-data/cve/2025-10-15/CVE-2024-0001.json Normal file
View File

@@ -0,0 +1,72 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.0",
"cveMetadata": {
"cveId": "CVE-2024-0001",
"assignerShortName": "ExampleOrg",
"state": "PUBLISHED",
"dateReserved": "2024-01-01T00:00:00Z",
"datePublished": "2024-09-10T12:00:00Z",
"dateUpdated": "2024-09-15T12:00:00Z"
},
"containers": {
"cna": {
"title": "Example Product Remote Code Execution",
"descriptions": [
{
"lang": "en",
"value": "An example vulnerability allowing remote attackers to execute arbitrary code."
}
],
"affected": [
{
"vendor": "ExampleVendor",
"product": "ExampleProduct",
"platform": "linux",
"defaultStatus": "affected",
"versions": [
{
"status": "affected",
"version": "1.0.0",
"lessThan": "1.2.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.2.0",
"versionType": "semver"
}
]
}
],
"references": [
{
"url": "https://example.com/security/advisory",
"name": "Vendor Advisory",
"tags": [
"vendor-advisory"
]
},
{
"url": "https://cve.example.com/CVE-2024-0001",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
}
}
],
"aliases": [
"GHSA-xxxx-yyyy-zzzz"
]
}
}
}

147
src/__Tests/__Datasets/seed-data/cve/2025-10-15/CVE-2024-4567.json Normal file
View File

@@ -0,0 +1,147 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2024-4567",
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"state": "PUBLISHED",
"assignerShortName": "Wordfence",
"dateReserved": "2024-05-06T19:34:14.071Z",
"datePublished": "2024-05-09T20:03:38.213Z",
"dateUpdated": "2024-08-01T20:47:40.724Z"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence",
"dateUpdated": "2024-05-09T20:03:38.213Z"
},
"affected": [
{
"vendor": "themifyme",
"product": "Themify Shortcodes",
"versions": [
{
"version": "*",
"status": "affected",
"lessThanOrEqual": "2.0.9",
"versionType": "semver"
}
],
"defaultStatus": "unaffected"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Themify Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's themify_button shortcode in all versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"title": "Themify Shortcodes <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via themify_button Shortcode",
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c63ff9d7-6a14-4186-8550-4e5c50855e7f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3082885/themify-shortcodes"
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"baseScore": 6.4,
"baseSeverity": "MEDIUM"
}
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"timeline": [
{
"time": "2024-05-06T00:00:00.000+00:00",
"lang": "en",
"value": "Vendor Notified"
},
{
"time": "2024-05-08T00:00:00.000+00:00",
"lang": "en",
"value": "Disclosed"
}
]
},
"adp": [
{
"title": "CISA ADP Vulnrichment",
"metrics": [
{
"other": {
"type": "ssvc",
"content": {
"id": "CVE-2024-4567",
"role": "CISA Coordinator",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"version": "2.0.3",
"timestamp": "2024-05-11T16:56:12.695905Z"
}
}
}
],
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2024-06-04T17:54:44.162Z"
}
},
{
"providerMetadata": {
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE",
"dateUpdated": "2024-08-01T20:47:40.724Z"
},
"title": "CVE Program Container",
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c63ff9d7-6a14-4186-8550-4e5c50855e7f?source=cve",
"tags": [
"x_transferred"
]
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3082885/themify-shortcodes",
"tags": [
"x_transferred"
]
}
]
}
]
}
}

19
src/__Tests/__Datasets/seed-data/findings-ledger/fixtures/finding-projection.sample.json Normal file
View File

@@ -0,0 +1,19 @@
{
"currentEventId": "3ac1f4ef-3c26-4b0d-91d4-6a6d3a5bde10",
"cycleHash": "1a61c14efc1aceaed7d2574d2054475b2683a3bfc81103585070ef560b15bd02",
"explainRef": "explain://tenant-a/findings/3ac1f4ef",
"findingId": "artifact:sha256:3f1e2d9c7b1a0f6534d1b6f998d7a5c3ef9e0ab92f4c1d2e3f5a6b7c8d9e0f1a|pkg:cpe:/o:vendor:product",
"labels": {
"kev": true,
"runtime": "exposed"
},
"policyVersion": "sha256:5f38c7887d4a4bb887ce89c393c7a2e23e6e708fda310f9f3ff2a2a0b4dffbdf",
"severity": 6.7,
"status": "triaged",
"tenantId": "tenant-a",
"updatedAt": "2025-11-03T15:12:05.456Z",
"policyRationale": [
"explain://tenant-a/findings/3ac1f4ef",
"policy://tenant-a/policy-v1/rationale/accepted"
]
}

42
src/__Tests/__Datasets/seed-data/findings-ledger/fixtures/ledger-event.sample.json Normal file
View File

@@ -0,0 +1,42 @@
{
"event": {
"actor": {
"id": "user:alice@tenant",
"type": "operator"
},
"artifactId": "sha256:3f1e2d9c7b1a0f6534d1b6f998d7a5c3ef9e0ab92f4c1d2e3f5a6b7c8d9e0f1a",
"chainId": "5fa2b970-9da2-4ef4-9a63-463c5d98d3cc",
"eventHash": "05332adf4298733a243968c40c7aeb4215dae48c52af9a5316374eacc9b30d45",
"finding": {
"artifactId": "sha256:3f1e2d9c7b1a0f6534d1b6f998d7a5c3ef9e0ab92f4c1d2e3f5a6b7c8d9e0f1a",
"id": "artifact:sha256:3f1e2d9c7b1a0f6534d1b6f998d7a5c3ef9e0ab92f4c1d2e3f5a6b7c8d9e0f1a|pkg:cpe:/o:vendor:product",
"vulnId": "CVE-2025-1234"
},
"id": "3ac1f4ef-3c26-4b0d-91d4-6a6d3a5bde10",
"occurredAt": "2025-11-03T15:12:05.123Z",
"payload": {
"justification": "Ticket SEC-1234 created",
"previousStatus": "affected",
"status": "triaged",
"ticket": {
"id": "SEC-1234",
"url": "https://tracker.example/sec-1234"
},
"rationaleRefs": [
"explain://tenant-a/findings/3ac1f4ef"
]
},
"policyVersion": "sha256:5f38c7887d4a4bb887ce89c393c7a2e23e6e708fda310f9f3ff2a2a0b4dffbdf",
"previousHash": "0000000000000000000000000000000000000000000000000000000000000000",
"recordedAt": "2025-11-03T15:12:06.001Z",
"sequence": 42,
"sourceRunId": "8f89a703-94cd-4e9d-8a75-2f407c4bee7f",
"tenant": "tenant-a",
"type": "finding.status_changed"
},
"hashes": {
"eventHash": "05332adf4298733a243968c40c7aeb4215dae48c52af9a5316374eacc9b30d45",
"merkleLeafHash": "a2ad094e2e2064a29de8b93710d97645401d7690e920e866eef231790c5200be",
"previousHash": "0000000000000000000000000000000000000000000000000000000000000000"
}
}

19
src/__Tests/__Datasets/seed-data/ics-cisa/README.md Normal file
View File

@@ -0,0 +1,19 @@
# CISA ICS Advisory Seed Data
This directory is reserved for **seed data** sourced from the community-maintained [ICS Advisory Project](https://github.com/icsadvprj/ICS-Advisory-Project). The project republishes CISA ICS advisories under the **Open Database License (ODbL) v1.0**. StellaOps uses these CSV snapshots to bootstrap offline environments before the official GovDelivery credentials arrive.
> ⚠️ **Licence notice** By downloading and using the CSV files you agree to the ODbL requirements (attribution, share-alike, and notice preservation). See [`LICENSE-ODBL.md`](https://github.com/icsadvprj/ICS-Advisory-Project/blob/main/LICENSE.md) for the full text.
## Usage
1. Run `scripts/fetch-ics-cisa-seed.sh` (or the PowerShell variant) to download the latest snapshots into this directory.
2. The files are ignored by Git to avoid committing third-party data; include them explicitly when building an Offline Update Kit.
3. When you later switch to live GovDelivery ingestion, keep the CSVs around as historical fixtures—do **not** treat them as an authoritative source once the live connector is enabled.
### Suggested Artefacts
- `CISA_ICS_ADV_Master.csv` cumulative advisory dataset (2010 → present)
- `CISA_ICS_ADV_<YYYY_MM_DD>.csv` point-in-time snapshots
- `ICSMA_CSV_<YYYY>.xlsx` medical device advisories (optional, sourced from the community mirror)
Keep the generated SHA-256 files alongside the CSVs so Offline Kit packaging can verify integrity.

34
src/__Tests/__Datasets/seed-data/kisa/README.md Normal file
View File

@@ -0,0 +1,34 @@
# KISA Offline Detail Capture (2025-11-03)
This directory contains HTML snapshots of the KISA/KNVD advisory detail pages (`detailDos.do?IDX=...`).
## Capture notes
- Captured: 2025-11-03T22:53:00Z from `https://knvd.krcert.or.kr/rss/securityInfo.do`.
- Detail API `rssDetailData.do` now returns an HTML error page; the SPA embeds the full advisory content in `detailDos.do`.
- Each file under `html/` corresponds to the RSS item `IDX` and preserves the original Korean content and table layout.
- User agent: `Mozilla/5.0 (compatible; StellaOpsOffline/1.0)`.
- No authentication was required; cookies set during the HTML fetch are not needed for static page capture.
## Regeneration
```bash
python scripts/kisa_capture_html.py --out seed-data/kisa/html
```
(See `scripts/kisa_capture_html.py` for exact implementation; it parses the RSS feed, walks each `IDX`, and writes `IDX.html` alongside a sha256 manifest.)
## sha256 manifest
| IDX | sha256 |
| --- | --- |
| 5859 | 8a31a530b3e4d4ce356fc18d561028a41320b27ed398abdb8e7ec2b0b5c693fe |
| 5860 | 74013ef35a76cd0c44c2e17cac9ecf51095e64fd7f9a9436460d0e0b10526af3 |
| 5861 | 1d95c34b76dc9d5be5cbc0b8fdc9d423dd5cc77cb0fc214534887dc444ef9a45 |
| 5862 | 93ae557286b4ee80ae26486c13555e1fda068dcc13d440540757a7d53166457e |
| 5863 | ee3c81915e99065021b8bb1a601144e99af196140d92859049cea1c308547859 |
| 5864 | 6f84dc5f1bb4998d9af123f7ddc8912b47cdc1acf816d41ff0e1ad281d31fa2f |
| 5865 | d5e60ea3a80307f797721a988bed609c99587850e59bc125d287c8e8db85b0ec |
| 5866 | a6f332315324fb268adad214bba170e81c56db6afdb316bafdd18fb9defbe721 |
| 5867 | 4245dbf6c03a27d6bdf1d7b2651e9e7a05ad1bc027c2f928edb3bf3e58a62b20 |
| 5868 | 316c1476589a51e57914186373bfd0394e3d0a8ae64a2c9c16a1d8bdfe941fa9 |