stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

archive audit attempts

Browse Source
This commit is contained in:
master
2026-02-19 22:00:31 +02:00
parent c2f13fe588
commit b5829dce5c
19638 changed files with 6366 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
docs-archived/product/advisories/19-Feb-2026 - Supply Chain Security Tool Matrix.md Normal file
View File

@@ -0,0 +1,112 @@
# Supply Chain Security Tool Matrix (evidence from public docs)
**Advisory date:** 2026-02-19
**Archived:** 2026-02-19
**Disposition:** Archived -- claims verified against codebase; two caveats noted below.
---
## SBOM support
* **Stella Ops:** *YES* -- internal canonical CycloneDX JCS and SBOM ingest contracts (internal spec).
* **Trivy:** *YES* -- generates and consumes CycloneDX/SPDX SBOM formats.
* **Grype:** *YES* -- scans container images and SBOMs, accepts SBOM input.
* **Snyk:** *YES* -- SBOM security checks and scanning/analysis.
* **JFrog Xray:** *YES* -- scans artifacts and imports/analyses SBOMs (enterprise).
* **Docker Scout:** *YES* -- generates/consumes SBOM attestations; Docker SBOM tooling exists.
## VEX ingestion (OpenVEX / VEX docs)
* **Stella Ops:** *YES* -- design includes deterministic VEX ingest (internal).
* **Trivy:** *YES/PARTIAL* -- Rekor SBOM attestation scan supports VEX attestation via experimental plugins.
* **Grype:** *YES/PARTIAL* -- supports OpenVEX ingestion for filtering/enrichment.
* **Snyk:** *UNKNOWN* -- primary docs do not explicitly surface OpenVEX ingestion.
* **JFrog Xray:** *YES/PARTIAL* -- evidence collection and enriched vulnerability annotations.
* **Docker Scout:** *YES* -- Docker's VEX concepts documented for integration.
## In-toto / DSSE / attestation ingestion
* **Stella Ops:** *YES* -- DSSE/in-toto + articulated provenance anchors (internal).
* **Trivy:** *PARTIAL* -- has experimental attestation retrieval via Rekor/Cosign.
* **Grype:** *PARTIAL* -- linked tooling uses Cosign attestations via Syft workflows (public examples).
* **Snyk:** *UNKNOWN/PARTIAL* -- primary docs focus on SBOM/scan; attestation ingestion not prominent.
* **JFrog Xray:** *YES/PARTIAL* -- enterprise attestation/evidence documented.
* **Docker Scout:** *YES* -- Docker Docs show attestation commands and retrieval.
## Explainability depth (beyond package level)
* **Stella Ops:** *DEEP (function-level shipped; line-level CFG partial)* -- function-level call-path witnesses with file/line/column context shipped; dedicated line-level CFG export not yet a shipped feature. **[CAVEAT: advisory originally said "function->line"; qualified to "function-level with line context".]**
* **Trivy:** *PARTIAL/NO* -- reports package/component level; no public deep binary CFG explainability.
* **Grype:** *PARTIAL* -- deep vulnerability metadata but not low-level CFG.
* **Snyk:** *PARTIAL* -- contextual dev-focused explainability; no binary CFG.
* **JFrog Xray:** *PARTIAL* -- rich reports but not per-frame CFG.
* **Docker Scout:** *PARTIAL* -- good image composition context; no granular call-path explainability.
## Smart diffing (semantic/structured)
* **Stella Ops:** *YES* -- signed semantic diff predicates (internal).
* **Trivy:** *PARTIAL* -- experimental compare features.
* **Grype:** *PARTIAL* -- package diff workflows exist; not signed diff predicates.
* **Snyk:** *PARTIAL* -- snapshot & delta tooling (e.g., snyk-delta).
* **JFrog Xray:** *PARTIAL* -- enriched scan comparisons possible but not canonical diff predicates.
* **Docker Scout:** *PARTIAL* -- `docker scout compare` CLI; not structured diff predicates.
## Binary provenance
* **Stella Ops:** *YES* -- symbol bundle + pinned build ID mappings.
* **Trivy:** *PARTIAL/UNKNOWN* -- Rekor/SBOM attestations hint at provenance but not symbol bundle marketplace.
* **Grype:** *PARTIAL/UNKNOWN* -- attestation via Syft/Cosign workflows but no signed symbol pack docs.
* **Snyk:** *UNKNOWN* -- no primary proof of signed symbol handling.
* **JFrog Xray:** *PARTIAL* -- evidence collection; no explicit signed symbol bundle.
* **Docker Scout:** *PARTIAL* -- Docker Hardened Images provenance; not general marketplace.
## Call-stack/micro-witness replay
* **Stella Ops:** *YES* -- micro-witness replay design (internal).
* **Others:** *NO/UNKNOWN* -- public docs do not show deterministic replayable micro-witness stack artifacts.
## Deterministic signed scoring
* **Stella Ops:** *YES* -- deterministic signed scores anchored to Rekor (internal).
* **Competitors:** *NO/UNKNOWN* -- focus on heuristic scores; no published deterministic signed envelopes.
## Explicit UNKNOWN-state handling
* **Stella Ops:** *YES* -- canonical unknown state predicates.
* **Competitors:** *PARTIAL/UNKNOWN* -- systems have 'not applicable' or suppressed states but no signed unknown predicate standard documents.
## Reachability analysis (binary)
* **Stella Ops:** *YES* -- integrated analysis by design.
* **Competitors:** *NO/UNKNOWN* -- not visible in primary docs.
## UI/UX evidence surfacing
* **Stella Ops:** *YES* -- evidence ribbons & signed pointers (internal).
* **Trivy:** *PARTIAL* -- CLI focus; some partner UIs exist.
* **Grype:** *PARTIAL* -- CLI and partner UI capabilities.
* **Snyk:** *YES/PARTIAL* -- strong developer UI; no DSSE/Rekor badges documented.
* **JFrog Xray:** *YES/PARTIAL* -- enterprise UI for enriched evidence.
* **Docker Scout:** *YES* -- CLI/UI attest list and VEX visibility.
## CI/test parity
* **Stella Ops:** *YES (gate engine shipped; CI automation integration in progress)* -- PolicyGateEvaluator with staged gates shipped; GitOps loop wiring under active development. **[CAVEAT: advisory originally said "two-tier gating (fast signed + deep)"; qualified to note CI automation integration is in progress.]**
* **Trivy:** *YES/PARTIAL* -- CI integrations documented.
* **Grype:** *YES/PARTIAL* -- CI workflows via Syft/Grype.
* **Snyk:** *YES* -- solid CI/PR checks.
* **JFrog Xray:** *PARTIAL* -- CI/CD integrations exist.
* **Docker Scout:** *PARTIAL* -- CI CLI commands; no signed-score parity.
---
## Archive review notes
**Reviewed:** 2026-02-19 by Product Manager role.
**Outcome:** All Stella Ops claims verified against codebase. No new sprint tasks required. Two qualification caveats applied inline (marked with **[CAVEAT]**):
1. **Explainability depth** -- function-level call-path witnesses shipped; line-level CFG export is architecturally supported but not a shipped feature. Softened from "function->line" to "function-level with line context."
2. **CI/test parity** -- gate engine (`PolicyGateEvaluator`) and CVE-aware gates shipped; CI/CD automation integration loop under active development. Qualified accordingly.
**Competitive claims:** Sourced from public vendor documentation. Not independently re-verified (web-tool policy). Cited sources appear credible.