stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

up

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-09 00:20:52 +02:00
parent 3d01bf9edc
commit bc0762e97d
261 changed files with 14033 additions and 4427 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docs/modules/concelier/feeds/icscisa-kisa-provenance.md
View File

@@ -1,7 +1,22 @@
# ICSCISA / KISA Feed Provenance Notes (2025-11-19)
# ICSCISA / KISA Feed Provenance Notes (2025-12-08)
- Expected signing: not provided by sources; set `signature=null` and `skip_reason="unsigned"`.
- Hashing: sha256 of raw advisory payload before normalization.
- Expected signing: not provided by sources; record `signature` as `{ status: "missing", reason: "unsigned_source" }`.
- Hashing: sha256 of raw advisory payload before normalization (stored as `payload_sha256` per advisory) and sha256 of run artefacts (`hashes.sha256`).
- Transport: HTTPS; mirror to internal cache; record `fetched_at` UTC and `source_url`.
- Verification: compare hash vs previous run; emit delta report.
- Staleness guard: alert if `fetched_at` >14 days.
## Run 2025-12-08 (run_id=icscisa-kisa-20251208T0205Z)
- Artefacts: `out/feeds/icscisa-kisa/20251208/advisories.ndjson`, `delta.json`, `fetch.log`, `hashes.sha256`.
- Hashes:
- `0844c46c42461b8eeaf643c01d4cb74ef20d4eec8c984ad5e20c49d65dc57deb advisories.ndjson`
- `1273beb246754382d2e013fdc98b11b06965fb97fe9a63735b51cc949746418f delta.json`
- `8fedaa9fb2b146a1ef500b0d2e4c1592ddbc770a8f15b7d03723f8034fc12a75 fetch.log`
- Delta summary: added ICS CISA advisories `ICSA-25-123-01`, `ICSMA-25-045-01`; added KISA advisories `KISA-2025-5859`, `KISA-2025-5860`; no updates or removals; backlog window 60 days; retries 0 for both sources.
- Signature posture: both sources unsigned; all records marked `signature.missing` with reason `unsigned_source`.
- Next actions: maintain weekly cadence; staleness review on 2025-12-21 with refreshed hash manifest and retry histogram.
## CI automation
- Scheduled workflow `.gitea/workflows/icscisa-kisa-refresh.yml` runs Mondays 02:00 UTC (manual dispatch enabled) and executes `scripts/feeds/run_icscisa_kisa_refresh.py` with live fetch + offline fallback.
- Configure feed endpoints via `ICSCISA_FEED_URL` / `KISA_FEED_URL`; set `LIVE_FETCH=false` or `OFFLINE_SNAPSHOT=true` to force offline-only mode when running in sealed CI. Host override for on-prem mirrors is available via `FEED_GATEWAY_HOST` / `FEED_GATEWAY_SCHEME` (default `concelier-webservice` on the Docker network).
- Fetch log traces: `fetch.log` captures gateway (`FEED_GATEWAY_*`), effective ICS/KISA URLs, live/offline flags, and statuses so operators can verify when defaults are used vs explicit endpoints.