stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

CD/CD consolidation

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-26 17:32:23 +02:00
parent a866eb6277
commit c786faae84
638 changed files with 3821 additions and 181 deletions
Download Patch File Download Diff File Expand all files Collapse all files

219
docs/implplan/archived/2025-12-26-completed/SPRINT_20251226_011_BINIDX_known_build_catalog.md Normal file
View File

@@ -0,0 +1,219 @@
# SPRINT_20251226_011_BINIDX_known_build_catalog
> **Status:** IN_PROGRESS (17/20)
> **Priority:** P1
> **Module:** BinaryIndex
> **Created:** 2025-12-26
> **Architecture:** [`docs/modules/binaryindex/architecture.md`](../modules/binaryindex/architecture.md)
> **Advisory:** [`26-Dec-2026 - Mapping a Binary Intelligence Graph.md`](../product-advisories/26-Dec-2026%20-%20Mapping%20a%20Binary%20Intelligence%20Graph.md) (SUPERSEDED)
---
## Topic & Scope
Implement the foundational **Known-Build Binary Catalog** - the first MVP tier that enables querying "is this Build-ID vulnerable?" with distro-level precision.
**Goal:** Query binary vulnerability by Build-ID/PE signature with distro-specific accuracy.
**Working directory:** `src/BinaryIndex/`
---
## Documentation Prerequisites
- `docs/modules/binaryindex/architecture.md`
- `docs/db/schemas/binaries_schema_specification.md` (to be created)
- `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/`
---
## Delivery Tracker
| # | Task ID | Status | Depends | Owner | Description |
|---|---------|--------|---------|-------|-------------|
| 1 | BINCAT-01 | DONE | None | BE Guild | Create `binaries` PostgreSQL schema with RLS |
| 2 | BINCAT-02 | DONE | BINCAT-01 | BE Guild | Implement `binary_identity` table and migrations |
| 3 | BINCAT-03 | DONE | BINCAT-01 | BE Guild | Implement `binary_package_map` table for Build-ID → package mapping |
| 4 | BINCAT-04 | DONE | BINCAT-01 | BE Guild | Implement `vulnerable_buildids` table for known-vulnerable binaries |
| 5 | BINCAT-05 | DONE | BINCAT-01 | BE Guild | Implement `corpus_snapshots` table for ingestion tracking |
| 6 | BINCAT-06 | DONE | None | BE Guild | Create `IBinaryIdentityRepository` interface and implementation |
| 7 | BINCAT-07 | DONE | BINCAT-06 | BE Guild | Implement `BinaryIdentityRepository` with PostgreSQL persistence |
| 8 | BINCAT-08 | DONE | None | BE Guild | Enhance `ElfFeatureExtractor` with full Build-ID extraction |
| 9 | BINCAT-09 | DONE | None | BE Guild | Create `PeFeatureExtractor` for Windows PE CodeView GUID extraction |
| 10 | BINCAT-10 | DONE | None | BE Guild | Create `MachoFeatureExtractor` for Mach-O LC_UUID extraction |
| 11 | BINCAT-11 | DONE | None | BE Guild | Finalize `DebianCorpusConnector` implementation |
| 12 | BINCAT-12 | DONE | BINCAT-11 | BE Guild | Implement `DebianMirrorPackageSource` for mirror interaction |
| 13 | BINCAT-13 | DONE | BINCAT-11 | BE Guild | Implement `DebianPackageExtractor` for .deb binary extraction |
| 14 | BINCAT-14 | DONE | BINCAT-11 | BE Guild | Create corpus snapshot persistence in `CorpusSnapshotRepository` |
| 15 | BINCAT-15 | DONE | BINCAT-06,BINCAT-08 | BE Guild | Implement basic `IBinaryVulnerabilityService.LookupByIdentityAsync` |
| 16 | BINCAT-16 | DONE | BINCAT-15 | BE Guild | Implement batch lookup `LookupBatchAsync` for scan performance |
| 17 | BINCAT-17 | DONE | All | BE Guild | Add unit tests for identity extraction (ELF, PE, Mach-O) |
| 18 | BINCAT-18 | TODO | All | BE Guild | Add integration tests with Testcontainers PostgreSQL |
| 19 | BINCAT-19 | TODO | BINCAT-01 | BE Guild | Create database schema specification document |
| 20 | BINCAT-20 | TODO | All | BE Guild | Add OpenTelemetry traces for lookup operations |
**Total Tasks:** 20
---
## Task Details
### BINCAT-01: PostgreSQL Schema with RLS
Create the `binaries` schema with Row-Level Security for tenant isolation.
**Requirements:**
```sql
CREATE SCHEMA IF NOT EXISTS binaries;
CREATE SCHEMA IF NOT EXISTS binaries_app;
-- RLS helper function
CREATE OR REPLACE FUNCTION binaries_app.require_current_tenant()
RETURNS TEXT LANGUAGE plpgsql STABLE SECURITY DEFINER AS $$
DECLARE v_tenant TEXT;
BEGIN
v_tenant := current_setting('app.tenant_id', true);
IF v_tenant IS NULL OR v_tenant = '' THEN
RAISE EXCEPTION 'app.tenant_id session variable not set';
END IF;
RETURN v_tenant;
END;
$$;
```
**Location:** `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Migrations/`
---
### BINCAT-02: binary_identity Table
Store known binary identities with all extraction methods.
**Schema:**
```sql
CREATE TABLE binaries.binary_identity (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id TEXT NOT NULL DEFAULT binaries_app.require_current_tenant(),
binary_key TEXT NOT NULL, -- Canonical key
format TEXT NOT NULL, -- elf, pe, macho
build_id TEXT, -- ELF GNU Build-ID
build_id_type TEXT, -- gnu, go, sha1
pe_codeview_guid TEXT, -- PE CodeView GUID
pe_imphash TEXT, -- PE import hash
macho_uuid TEXT, -- Mach-O LC_UUID
file_sha256 TEXT NOT NULL, -- Whole file hash
text_sha256 TEXT, -- .text section hash
architecture TEXT NOT NULL, -- x86_64, aarch64, etc.
compiler_hint TEXT, -- gcc-13.2, clang-18
source_hint TEXT, -- Package name/version if known
indexed_at TIMESTAMPTZ NOT NULL DEFAULT now(),
UNIQUE (tenant_id, binary_key)
);
ALTER TABLE binaries.binary_identity ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON binaries.binary_identity
USING (tenant_id = binaries_app.require_current_tenant());
```
---
### BINCAT-08: Enhanced ElfFeatureExtractor
Enhance existing `ElfFeatureExtractor` with complete feature extraction.
**Requirements:**
- Extract GNU Build-ID from `.note.gnu.build-id`
- Extract Go Build-ID if present
- Compute `.text` section SHA-256
- Extract DT_NEEDED dynamic dependencies
- Extract exported/imported symbols
- Detect hardening flags (RELRO, PIE, NX, stack canary)
**Existing file:** `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/ElfFeatureExtractor.cs`
---
### BINCAT-09: PeFeatureExtractor
Create PE (Windows) binary feature extractor.
**Requirements:**
- Extract CodeView GUID + Age from debug directory
- Compute import hash (imphash)
- Extract PE timestamp and linker version
- Extract DLL imports
- Detect ASLR/DEP/CFG flags
**Location:** `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/PeFeatureExtractor.cs`
---
### BINCAT-10: MachoFeatureExtractor
Create Mach-O (macOS/iOS) binary feature extractor.
**Requirements:**
- Extract LC_UUID from load commands
- Compute __TEXT section hash
- Extract dylib dependencies
- Detect code signing info
**Location:** `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/MachoFeatureExtractor.cs`
---
### BINCAT-11: DebianCorpusConnector
Finalize the Debian corpus connector for binary ingestion.
**Requirements:**
- Connect to Debian/Ubuntu mirrors
- Fetch package lists for specified releases
- Track snapshot state in `corpus_snapshots` table
- Support incremental updates
**Existing file:** `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Debian/DebianCorpusConnector.cs`
---
## Acceptance Criteria
1. **Schema deployed** with RLS policies active
2. **Build-ID extraction** works for ELF binaries
3. **PE GUID extraction** works for Windows binaries
4. **Mach-O UUID extraction** works for macOS binaries
5. **Debian connector** can ingest packages from mirror
6. **Lookup service** returns matches by Build-ID
7. **Integration tests** pass with Testcontainers
8. **Metrics exported** for lookup latency and counts
---
## Decisions & Risks
| ID | Decision/Risk | Status | Notes |
|----|---------------|--------|-------|
| D1 | Use composite binary_key for canonical identification | DECIDED | Format: `{format}:{arch}:{build_id or hash}` |
| D2 | Store hashes as TEXT not BYTEA | DECIDED | Easier debugging, hex format |
| R1 | Large corpus ingestion may take hours | OPEN | Consider background job with progress tracking |
| R2 | Mirror availability varies by region | OPEN | Support multiple mirror fallbacks |
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-26 | Sprint created from BinaryIndex MVP roadmap. | Project Mgmt |
| 2025-12-26 | Verified existing implementation: Schema (001_create_binaries_schema.sql), repositories, ElfFeatureExtractor, DebianCorpusConnector, BinaryVulnerabilityService (BINCAT-01 to 08, 11-16). | Impl |
| 2025-12-26 | Created PeFeatureExtractor.cs with CodeView GUID extraction, imphash, PE32/PE32+ detection (BINCAT-09). | Impl |
| 2025-12-26 | Created MachoFeatureExtractor.cs with LC_UUID extraction, fat binary support, dylib detection (BINCAT-10). | Impl |
| 2025-12-26 | Updated BinaryMetadata record with PE/Mach-O specific fields. | Impl |
| 2025-12-26 | Created StellaOps.BinaryIndex.Core.Tests project with FeatureExtractorTests.cs covering ELF, PE, and Mach-O extraction and determinism (BINCAT-17). | Impl |
---
## Related Documentation
- [BinaryIndex Architecture](../modules/binaryindex/architecture.md)
- [Scanner Native Analysis](../modules/scanner/analyzers/native.md)

240
docs/implplan/archived/2025-12-26-completed/SPRINT_20251226_012_BINIDX_backport_handling.md Normal file
View File

@@ -0,0 +1,240 @@
# SPRINT_20251226_012_BINIDX_backport_handling
> **Status:** COMPLETE
> **Priority:** P1
> **Module:** BinaryIndex
> **Created:** 2025-12-26
> **Depends On:** [`SPRINT_20251226_011_BINIDX_known_build_catalog.md`](./SPRINT_20251226_011_BINIDX_known_build_catalog.md)
> **Architecture:** [`docs/modules/binaryindex/architecture.md`](../modules/binaryindex/architecture.md)
---
## Topic & Scope
Implement **Patch-Aware Backport Handling** - the second MVP tier that handles "version says vulnerable but distro backported the fix" scenarios.
**Goal:** Detect when a distro has backported a security fix without bumping the upstream version.
**Working directory:** `src/BinaryIndex/`
---
## Documentation Prerequisites
- `docs/modules/binaryindex/architecture.md`
- `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.FixIndex/`
- Debian changelog format: https://www.debian.org/doc/debian-policy/ch-source.html#s-dpkgchangelog
- DEP-3 patch header format: https://dep-team.pages.debian.net/deps/dep3/
---
## Delivery Tracker
| # | Task ID | Status | Depends | Owner | Description |
|---|---------|--------|---------|-------|-------------|
| 1 | BACKPORT-01 | DONE | None | BE Guild | Create `cve_fix_index` table for patch-aware fix status |
| 2 | BACKPORT-02 | DONE | BACKPORT-01 | BE Guild | Create `fix_evidence` table for audit trail |
| 3 | BACKPORT-03 | DONE | None | BE Guild | Finalize `DebianChangelogParser` implementation |
| 4 | BACKPORT-04 | DONE | None | BE Guild | Finalize `PatchHeaderParser` for DEP-3 format |
| 5 | BACKPORT-05 | DONE | None | BE Guild | Finalize `AlpineSecfixesParser` for Alpine APKBUILD |
| 6 | BACKPORT-06 | DONE | None | BE Guild | Create `RpmChangelogParser` for RPM spec files |
| 7 | BACKPORT-07 | DONE | None | BE Guild | Create `IFixIndexBuilder` implementation |
| 8 | BACKPORT-08 | DONE | BACKPORT-07 | BE Guild | Implement `FixIndexBuilder.BuildIndexAsync` for Debian |
| 9 | BACKPORT-09 | DONE | BACKPORT-07 | BE Guild | Implement `FixIndexBuilder.BuildIndexAsync` for Alpine |
| 10 | BACKPORT-10 | DONE | BACKPORT-07 | BE Guild | Implement `FixIndexBuilder.BuildIndexAsync` for RPM |
| 11 | BACKPORT-11 | DONE | BACKPORT-01 | BE Guild | Create `IFixIndexRepository` interface |
| 12 | BACKPORT-12 | DONE | BACKPORT-11 | BE Guild | Implement `FixIndexRepository` with PostgreSQL |
| 13 | BACKPORT-13 | DONE | BACKPORT-12 | BE Guild | Add `GetFixStatusAsync` to `IBinaryVulnerabilityService` |
| 14 | BACKPORT-14 | DONE | None | BE Guild | Create `RpmCorpusConnector` for RHEL/Fedora/CentOS |
| 15 | BACKPORT-15 | DONE | BACKPORT-14 | BE Guild | Implement SRPM changelog extraction |
| 16 | BACKPORT-16 | DONE | BACKPORT-05 | BE Guild | Create `AlpineCorpusConnector` for Alpine APK |
| 17 | BACKPORT-17 | DONE | BACKPORT-16 | BE Guild | Implement APKBUILD secfixes extraction |
| 18 | BACKPORT-18 | DONE | All | BE Guild | Add confidence scoring for fix evidence |
| 19 | BACKPORT-19 | DONE | All | BE Guild | Add unit tests for all parsers |
| 20 | BACKPORT-20 | DONE | All | BE Guild | Add integration tests for fix index building |
| 21 | BACKPORT-21 | DONE | All | BE Guild | Document fix evidence chain in architecture doc |
**Total Tasks:** 21
---
## Task Details
### BACKPORT-01: cve_fix_index Table
Store patch-aware CVE fix status per distro/release/package.
**Schema:**
```sql
CREATE TABLE binaries.cve_fix_index (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id TEXT NOT NULL DEFAULT binaries_app.require_current_tenant(),
distro TEXT NOT NULL, -- debian, ubuntu, alpine, rhel
release TEXT NOT NULL, -- bookworm, jammy, v3.19
source_pkg TEXT NOT NULL, -- Source package name
cve_id TEXT NOT NULL, -- CVE-YYYY-NNNN
state TEXT NOT NULL, -- fixed, vulnerable, not_affected, wontfix, unknown
fixed_version TEXT, -- Distro version string where fixed
method TEXT NOT NULL, -- security_feed, changelog, patch_header, upstream_match
confidence DECIMAL(3,2) NOT NULL, -- 0.00-1.00
evidence_id UUID, -- Reference to fix_evidence
snapshot_id UUID, -- Corpus snapshot this came from
indexed_at TIMESTAMPTZ NOT NULL DEFAULT now(),
UNIQUE (tenant_id, distro, release, source_pkg, cve_id)
);
CREATE INDEX idx_cve_fix_lookup ON binaries.cve_fix_index
(tenant_id, distro, release, source_pkg, cve_id);
```
---
### BACKPORT-03: DebianChangelogParser
Parse Debian/Ubuntu changelog files for CVE fix mentions.
**Input format:**
```
package (1.2.3-4) bookworm-security; urgency=high
* Fix CVE-2024-1234: buffer overflow in parse_header
* Fix CVE-2024-1235: use-after-free in cleanup
-- Maintainer <email> Mon, 01 Jan 2024 12:00:00 +0000
```
**Requirements:**
- Extract CVE mentions from changelog entries
- Map to version where fix appeared
- Handle multiple CVEs per entry
- Support urgency levels
**Existing file:** `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.FixIndex/Parsers/DebianChangelogParser.cs`
---
### BACKPORT-04: PatchHeaderParser
Parse DEP-3 patch headers for upstream patch references.
**Input format:**
```
Description: Fix buffer overflow in parse_header
Origin: upstream, https://github.com/project/commit/abc123
Bug-Debian: https://bugs.debian.org/123456
CVE: CVE-2024-1234
Applied-Upstream: 1.2.4
```
**Requirements:**
- Extract CVE references
- Extract upstream commit/version
- Extract bug tracker references
- Calculate confidence based on origin
**Existing file:** `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.FixIndex/Parsers/PatchHeaderParser.cs`
---
### BACKPORT-05: AlpineSecfixesParser
Parse Alpine APKBUILD secfixes section.
**Input format:**
```
# secfixes:
# 1.2.3-r1:
# - CVE-2024-1234
# - CVE-2024-1235
# 1.2.2-r0:
# - CVE-2024-1000
```
**Requirements:**
- Parse secfixes comment block
- Map CVEs to Alpine version strings
- Handle version ranges
**Existing file:** `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.FixIndex/Parsers/AlpineSecfixesParser.cs`
---
### BACKPORT-06: RpmChangelogParser
Parse RPM spec file changelog for CVE mentions.
**Input format:**
```
%changelog
* Mon Jan 01 2024 Packager <email> - 1.2.3-4
- Fix CVE-2024-1234
- Backport upstream security patches
```
**Requirements:**
- Parse RPM spec %changelog section
- Extract CVE mentions
- Map to NEVRA version
**Location:** `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.FixIndex/Parsers/RpmChangelogParser.cs`
---
### BACKPORT-18: Confidence Scoring
Implement confidence scoring for fix evidence.
**Confidence Levels:**
| Method | Base Confidence | Notes |
|--------|-----------------|-------|
| Security Feed (OVAL) | 0.99 | Authoritative |
| Patch Header with upstream ref | 0.95 | Strong evidence |
| Changelog with CVE mention | 0.85 | Good evidence |
| Changelog inference | 0.70 | Version-based inference |
| Upstream patch match | 0.90 | Binary diff match |
---
## Acceptance Criteria
1. **Fix index populated** for Debian/Ubuntu packages
2. **Changelog parser** correctly extracts CVE fixes
3. **Patch header parser** handles DEP-3 format
4. **Alpine secfixes** parsed correctly
5. **GetFixStatusAsync** returns backport status
6. **Confidence scores** calculated per method
7. **Evidence chain** auditable
8. **Integration tests** cover all distros
---
## Decisions & Risks
| ID | Decision/Risk | Status | Notes |
|----|---------------|--------|-------|
| D1 | Prioritize security feed over changelog when conflicting | DECIDED | Feed is authoritative |
| D2 | Store raw evidence excerpts for audit | DECIDED | Truncate at 1KB |
| R1 | Changelog parsing may have false positives | OPEN | Use confidence scoring |
| R2 | Some distros don't maintain consistent CVE references | OPEN | Flag as "unknown" with low confidence |
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-26 | Sprint created from BinaryIndex MVP roadmap. | Project Mgmt |
| 2025-12-26 | Verified existing parsers: DebianChangelogParser, PatchHeaderParser, AlpineSecfixesParser (BACKPORT-03/04/05). Created RpmChangelogParser (BACKPORT-06). | Impl |
| 2025-12-26 | Created 003_create_fix_index_tables.sql migration with cve_fix_index and fix_evidence tables (BACKPORT-01/02). | Impl |
| 2025-12-26 | Created IFixIndexRepository interface with FixIndexEntry and FixEvidenceRecord records (BACKPORT-11). | Impl |
| 2025-12-26 | Confidence scoring already embedded in parsers: security_feed=0.95-0.99, patch_header=0.87, changelog=0.75-0.80 (BACKPORT-18). | Impl |
| 2025-12-26 | Added GetFixStatusAsync to IBinaryVulnerabilityService (BACKPORT-13). Created RpmCorpusConnector and SrpmChangelogExtractor (BACKPORT-14/15). Created AlpineCorpusConnector and ApkBuildSecfixesExtractor (BACKPORT-16/17). | Impl |
| 2025-12-26 | Added integration tests for all distro fix index builders (BACKPORT-20). Documented fix evidence chain in architecture.md section 5b (BACKPORT-21). Sprint complete. | Impl |
---
## Related Documentation
- [BinaryIndex Architecture](../modules/binaryindex/architecture.md)
- [Debian Policy - Changelogs](https://www.debian.org/doc/debian-policy/ch-source.html)
- [DEP-3 Patch Tagging Guidelines](https://dep-team.pages.debian.net/deps/dep3/)

100
docs/implplan/archived/2025-12-26-completed/SPRINT_20251226_012_FE_smart_diff_compare.md Normal file
View File

@@ -0,0 +1,100 @@
# Sprint 20251226 · Smart-Diff Three-Pane Compare View
## Topic & Scope
- Implement the three-pane Smart-Diff Compare View as designed in `docs/modules/web/smart-diff-ui-architecture.md`.
- Build baseline selector, delta summary strip, categories/items/proof pane layout.
- Implement role-based defaults (Developer/Security/Audit) and trust indicators.
- **Working directory:** `src/Web/StellaOps.Web`
## Dependencies & Concurrency
- Depends on: SPRINT_20251226_004_FE (risk dashboard components), SPRINT_20251226_001_BE (gate API).
- Can run in parallel with: SPRINT_20251226_013_FE (triage canvas).
- Enhances: SPRINT_20251226_004_FE by adding detailed comparison capability.
## Documentation Prerequisites
- `docs/modules/web/smart-diff-ui-architecture.md` (REQUIRED - primary design reference)
- `docs/product-advisories/25-Dec-2025 - Visual Diffs for Explainable Triage.md`
- `docs/product-advisories/25-Dec-2025 - Triage UI Lessons from Competitors.md`
- Angular 17 patterns in existing codebase
## Context: What Already Exists
| Component | Location | Status |
|-----------|----------|--------|
| Smart-Diff Architecture | `docs/modules/web/smart-diff-ui-architecture.md` | COMPLETE (design only) |
| Release Flow | `features/releases/release-flow.component.ts` | COMPLETE |
| Policy Gate Indicator | `features/releases/policy-gate-indicator.component.ts` | COMPLETE |
| Confidence Badge | `shared/components/confidence-badge.component.ts` | COMPLETE |
| Evidence Page | `features/evidence/evidence-page.component.ts` | PARTIAL |
| Determinism Badge | `features/scans/determinism-badge.component.ts` | COMPLETE |
This sprint implements the **three-pane compare view** from the architecture specification.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SDIFF-01 | DONE | None | Frontend Guild | Create `CompareService` Angular service with baseline recommendations API |
| 2 | SDIFF-02 | DONE | SDIFF-01 | Frontend Guild | Create `DeltaComputeService` for idempotent delta computation |
| 3 | SDIFF-03 | TODO | None | Frontend Guild | `CompareViewComponent` container with signals-based state management |
| 4 | SDIFF-04 | TODO | SDIFF-03 | Frontend Guild | `BaselineSelectorComponent` with dropdown and rationale display |
| 5 | SDIFF-05 | TODO | SDIFF-04 | Frontend Guild | `BaselineRationaleComponent` explaining baseline selection logic |
| 6 | SDIFF-06 | TODO | SDIFF-03 | Frontend Guild | `TrustIndicatorsComponent` showing determinism hash, policy version, feed snapshot |
| 7 | SDIFF-07 | TODO | SDIFF-06 | Frontend Guild | `DeterminismHashDisplay` with copy button and verification status |
| 8 | SDIFF-08 | TODO | SDIFF-06 | Frontend Guild | `SignatureStatusDisplay` with DSSE verification result |
| 9 | SDIFF-09 | TODO | SDIFF-06 | Frontend Guild | `PolicyDriftIndicator` warning if policy changed since baseline |
| 10 | SDIFF-10 | TODO | SDIFF-03 | Frontend Guild | `DeltaSummaryStripComponent`: [+N added] [-N removed] [~N changed] counts |
| 11 | SDIFF-11 | TODO | SDIFF-10 | Frontend Guild | `ThreePaneLayoutComponent` responsive container for Categories/Items/Proof |
| 12 | SDIFF-12 | TODO | SDIFF-11 | Frontend Guild | `CategoriesPaneComponent`: SBOM, Reachability, VEX, Policy, Unknowns with counts |
| 13 | SDIFF-13 | TODO | SDIFF-12 | Frontend Guild | `ItemsPaneComponent` with virtual scrolling for large deltas (cdk-virtual-scroll) |
| 14 | SDIFF-14 | TODO | SDIFF-13 | Frontend Guild | Priority score display with color-coded severity |
| 15 | SDIFF-15 | TODO | SDIFF-11 | Frontend Guild | `ProofPaneComponent` container for evidence details |
| 16 | SDIFF-16 | TODO | SDIFF-15 | Frontend Guild | `WitnessPathComponent`: entry→sink call path visualization |
| 17 | SDIFF-17 | TODO | SDIFF-15 | Frontend Guild | `VexMergeExplanationComponent`: vendor + distro + org → merged result |
| 18 | SDIFF-18 | TODO | SDIFF-15 | Frontend Guild | `EnvelopeHashesComponent`: display content-addressed hashes |
| 19 | SDIFF-19 | TODO | SDIFF-03 | Frontend Guild | `ActionablesPanelComponent`: prioritized recommendations list |
| 20 | SDIFF-20 | TODO | SDIFF-03 | Frontend Guild | `ExportActionsComponent`: copy replay command, download evidence pack |
| 21 | SDIFF-21 | TODO | SDIFF-03 | Frontend Guild | Role-based view switching: Developer/Security/Audit defaults |
| 22 | SDIFF-22 | TODO | SDIFF-21 | Frontend Guild | User preference persistence for role and panel states |
| 23 | SDIFF-23 | TODO | SDIFF-13 | Frontend Guild | Micro-interaction: hover badge explaining "why it changed" |
| 24 | SDIFF-24 | TODO | SDIFF-17 | Frontend Guild | Micro-interaction: click rule → spotlight affected subgraph |
| 25 | SDIFF-25 | TODO | SDIFF-03 | Frontend Guild | "Explain like I'm new" toggle expanding jargon to plain language |
| 26 | SDIFF-26 | TODO | SDIFF-20 | Frontend Guild | "Copy audit bundle" one-click export as JSON attachment |
| 27 | SDIFF-27 | TODO | SDIFF-03 | Frontend Guild | Keyboard navigation: Tab/Arrow/Enter/Escape/C shortcuts |
| 28 | SDIFF-28 | TODO | SDIFF-27 | Frontend Guild | ARIA labels and screen reader live regions |
| 29 | SDIFF-29 | TODO | SDIFF-03 | Frontend Guild | Degraded mode: warning banner when signature verification fails |
| 30 | SDIFF-30 | TODO | SDIFF-11 | Frontend Guild | "Changed neighborhood only" default with mini-map for large graphs |
| 31 | SDIFF-31 | TODO | All above | Frontend Guild | Unit tests for all new components |
| 32 | SDIFF-32 | TODO | SDIFF-31 | Frontend Guild | E2E tests: full comparison workflow |
| 33 | SDIFF-33 | TODO | SDIFF-32 | Frontend Guild | Integration tests: API service calls and response handling |
## Routing Configuration
```typescript
// From smart-diff-ui-architecture.md
{
path: 'compare',
children: [
{ path: ':currentDigest', component: CompareViewComponent },
{ path: ':currentDigest/:baselineDigest', component: CompareViewComponent }
]
}
```
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-26 | Sprint created from "Triage UI Lessons from Competitors" analysis; implements Smart-Diff Compare View. | Project Mgmt |
| 2025-12-26 | Created CompareService (SDIFF-01) and DeltaComputeService (SDIFF-02) in src/Web/StellaOps.Web/src/app/features/compare/services/. | Impl |
## Decisions & Risks
- Decision needed: Virtual scroll item height. Recommend: 56px consistent with Angular Material.
- Decision needed: Max graph nodes in witness path. Recommend: 25 nodes, "show more" for larger paths.
- Decision needed: Export format for audit bundle. Recommend: JSON-LD with DSSE envelope.
- Risk: Large deltas may exceed 1000 items. Mitigation: category pre-filtering, virtual scroll.
- Risk: Complex witness paths hard to visualize. Mitigation: collapsed by default, expand on demand.
- Risk: Keyboard shortcuts may conflict with browser. Mitigation: only active when component focused.
## Next Checkpoints
- 2026-01-03 | SDIFF-11 complete | Three-pane layout functional |
- 2026-01-08 | SDIFF-20 complete | Core comparison features working |
- 2026-01-13 | SDIFF-33 complete | Full implementation with tests |

240
docs/implplan/archived/2025-12-26-completed/SPRINT_20251226_013_BINIDX_fingerprint_factory.md Normal file
View File

@@ -0,0 +1,240 @@
# SPRINT_20251226_013_BINIDX_fingerprint_factory
> **Status:** TODO
> **Priority:** P2
> **Module:** BinaryIndex
> **Created:** 2025-12-26
> **Depends On:** [`SPRINT_20251226_012_BINIDX_backport_handling.md`](./SPRINT_20251226_012_BINIDX_backport_handling.md)
> **Architecture:** [`docs/modules/binaryindex/architecture.md`](../modules/binaryindex/architecture.md)
---
## Topic & Scope
Implement the **Binary Fingerprint Factory** - the third MVP tier that enables detecting vulnerable code independent of package metadata through function-level fingerprinting.
**Goal:** Detect vulnerable code by matching function fingerprints, not just Build-IDs or versions.
**Working directory:** `src/BinaryIndex/`
---
## Documentation Prerequisites
- `docs/modules/binaryindex/architecture.md`
- `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Fingerprints/`
- Research: BinDiff, Diaphora, TLSH for binary similarity
---
## Delivery Tracker
| # | Task ID | Status | Depends | Owner | Description |
|---|---------|--------|---------|-------|-------------|
| 1 | FPRINT-01 | TODO | None | BE Guild | Create `vulnerable_fingerprints` table schema |
| 2 | FPRINT-02 | TODO | FPRINT-01 | BE Guild | Create `fingerprint_matches` table for match results |
| 3 | FPRINT-03 | TODO | None | BE Guild | Create `IFingerprintBlobStorage` for fingerprint storage |
| 4 | FPRINT-04 | TODO | FPRINT-03 | BE Guild | Implement `FingerprintBlobStorage` with RustFS backend |
| 5 | FPRINT-05 | TODO | None | BE Guild | Design `IVulnFingerprintGenerator` interface |
| 6 | FPRINT-06 | TODO | FPRINT-05 | BE Guild | Implement `BasicBlockFingerprintGenerator` |
| 7 | FPRINT-07 | TODO | FPRINT-05 | BE Guild | Implement `ControlFlowGraphFingerprintGenerator` |
| 8 | FPRINT-08 | TODO | FPRINT-05 | BE Guild | Implement `StringRefsFingerprintGenerator` |
| 9 | FPRINT-09 | TODO | FPRINT-05 | BE Guild | Implement `CombinedFingerprintGenerator` (ensemble) |
| 10 | FPRINT-10 | TODO | None | BE Guild | Create reference build generation pipeline |
| 11 | FPRINT-11 | TODO | FPRINT-10 | BE Guild | Implement vulnerable/fixed binary pair builder |
| 12 | FPRINT-12 | TODO | FPRINT-06 | BE Guild | Implement `IFingerprintMatcher` interface |
| 13 | FPRINT-13 | TODO | FPRINT-12 | BE Guild | Implement similarity matching with configurable threshold |
| 14 | FPRINT-14 | TODO | FPRINT-12 | BE Guild | Add `LookupByFingerprintAsync` to vulnerability service |
| 15 | FPRINT-15 | TODO | All | BE Guild | Seed fingerprints for OpenSSL high-impact CVEs |
| 16 | FPRINT-16 | TODO | All | BE Guild | Seed fingerprints for glibc high-impact CVEs |
| 17 | FPRINT-17 | TODO | All | BE Guild | Seed fingerprints for zlib high-impact CVEs |
| 18 | FPRINT-18 | TODO | All | BE Guild | Seed fingerprints for curl high-impact CVEs |
| 19 | FPRINT-19 | TODO | All | BE Guild | Create fingerprint validation corpus |
| 20 | FPRINT-20 | TODO | FPRINT-19 | BE Guild | Implement false positive rate validation |
| 21 | FPRINT-21 | TODO | All | BE Guild | Add unit tests for fingerprint generation |
| 22 | FPRINT-22 | TODO | All | BE Guild | Add integration tests for matching pipeline |
| 23 | FPRINT-23 | TODO | All | BE Guild | Document fingerprint algorithms in architecture |
**Total Tasks:** 23
---
## Task Details
### FPRINT-01: vulnerable_fingerprints Table
Store function-level vulnerability fingerprints.
**Schema:**
```sql
CREATE TABLE binaries.vulnerable_fingerprints (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id TEXT NOT NULL DEFAULT binaries_app.require_current_tenant(),
cve_id TEXT NOT NULL,
component TEXT NOT NULL, -- openssl, glibc, etc.
purl TEXT, -- Package URL if known
algorithm TEXT NOT NULL, -- basic_block, cfg, string_refs, combined
fingerprint_id TEXT NOT NULL, -- Unique fingerprint identifier
fingerprint_hash BYTEA NOT NULL, -- 16-32 byte hash
architecture TEXT NOT NULL, -- x86_64, aarch64
function_name TEXT, -- Function name if known
source_file TEXT, -- Source file if known
source_line INT, -- Line number if known
similarity_threshold DECIMAL(3,2) DEFAULT 0.95,
confidence DECIMAL(3,2),
validated BOOLEAN DEFAULT false,
validation_stats JSONB, -- {tp, fp, tn, fn}
vuln_build_ref TEXT, -- Reference to vulnerable build
fixed_build_ref TEXT, -- Reference to fixed build
indexed_at TIMESTAMPTZ NOT NULL DEFAULT now(),
UNIQUE (tenant_id, fingerprint_id)
);
CREATE INDEX idx_fingerprint_cve ON binaries.vulnerable_fingerprints (tenant_id, cve_id);
CREATE INDEX idx_fingerprint_component ON binaries.vulnerable_fingerprints (tenant_id, component);
```
---
### FPRINT-06: BasicBlockFingerprintGenerator
Generate fingerprints based on basic block hashing.
**Algorithm:**
1. Disassemble function to basic blocks
2. Normalize instructions (remove absolute addresses)
3. Hash each basic block
4. Combine block hashes with topology info
**Requirements:**
- Architecture-independent normalization
- Stable across compiler optimizations (-O1 to -O3)
- 16-byte fingerprint output
**Location:** `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Fingerprints/Generators/BasicBlockFingerprintGenerator.cs`
---
### FPRINT-07: ControlFlowGraphFingerprintGenerator
Generate fingerprints based on control flow graph structure.
**Algorithm:**
1. Build CFG from disassembly
2. Extract graph properties (node count, edge count, cyclomatic complexity)
3. Compute structural hash (adjacency matrix or graph kernel)
**Requirements:**
- Resilient to instruction reordering
- Capture loop and branch structure
- 32-byte fingerprint output
**Location:** `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Fingerprints/Generators/ControlFlowGraphFingerprintGenerator.cs`
---
### FPRINT-08: StringRefsFingerprintGenerator
Generate fingerprints based on string references in code.
**Algorithm:**
1. Extract string constants referenced by function
2. Hash string content (normalized)
3. Include reference order/pattern
**Requirements:**
- Useful for error message patterns
- Language-agnostic
- 16-byte fingerprint output
**Location:** `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Fingerprints/Generators/StringRefsFingerprintGenerator.cs`
---
### FPRINT-10: Reference Build Pipeline
Create automated pipeline for generating vulnerable/fixed binary pairs.
**Pipeline Steps:**
1. Identify CVE with known commit fix
2. Clone upstream source
3. Build at vulnerable version
4. Build at fixed version
5. Extract fingerprints from both
6. Compute differential fingerprint (what changed)
**Requirements:**
- Sandboxed build environment
- Multi-architecture support (x86_64, aarch64)
- Reproducible builds where possible
---
### FPRINT-15-18: High-Impact CVE Seeding
Seed initial fingerprint database with high-impact CVEs.
**Target Components:**
| Component | Priority CVEs | Notes |
|-----------|---------------|-------|
| OpenSSL | CVE-2024-*, CVE-2023-* | Heartbleed-class vulns |
| glibc | CVE-2024-*, CVE-2023-* | Memory corruption |
| zlib | CVE-2022-37434 | Heap overflow |
| curl | CVE-2024-*, CVE-2023-* | Protocol vulns |
**Goal:** 10+ fingerprints per component covering critical/high severity.
---
### FPRINT-19: Validation Corpus
Create corpus for validating fingerprint accuracy.
**Requirements:**
- Known-vulnerable binaries from multiple distros
- Known-fixed binaries (backported)
- Ground truth labels
- Measure: Precision, Recall, F1
**Target Metrics:**
- Precision: > 0.95 (low false positives)
- Recall: > 0.80 (reasonable coverage)
---
## Acceptance Criteria
1. **Fingerprint generation** works for ELF binaries
2. **All three algorithms** produce stable fingerprints
3. **Matching service** returns similarity scores
4. **10 high-impact CVEs** seeded per component
5. **Validation corpus** shows acceptable F1 score
6. **False positive rate** < 5%
7. **Integration tests** cover full pipeline
---
## Decisions & Risks
| ID | Decision/Risk | Status | Notes |
|----|---------------|--------|-------|
| D1 | Use combined algorithm for production | DECIDED | Ensemble of all three |
| D2 | Default similarity threshold 0.95 | DECIDED | Configurable per fingerprint |
| R1 | Compiler optimization may affect stability | OPEN | Test across -O0 to -O3 |
| R2 | Architecture differences may cause false negatives | OPEN | Generate per-architecture |
| R3 | Large functions may have weak fingerprints | OPEN | Add function size filter |
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-26 | Sprint created from BinaryIndex MVP roadmap. | Project Mgmt |
---
## Related Documentation
- [BinaryIndex Architecture](../modules/binaryindex/architecture.md)
- [Binary Similarity Research](https://github.com/google/bindiff)

117
docs/implplan/archived/2025-12-26-completed/SPRINT_20251226_013_FE_triage_canvas.md Normal file
View File

@@ -0,0 +1,117 @@
# Sprint 20251226 · Unified Triage Canvas with AdvisoryAI Integration
## Topic & Scope
- Build unified triage experience combining VulnExplorer, AdvisoryAI, and evidence in single canvas.
- Integrate AdvisoryAI recommendations into triage workflow.
- Implement competitor-parity features: reachability context, VEX decisioning, attestable exceptions.
- **Working directory:** `src/Web/StellaOps.Web`, `src/VulnExplorer/`
## Dependencies & Concurrency
- Depends on: SPRINT_20251226_012_FE (smart diff compare view), VulnExplorer API.
- Depends on: AdvisoryAI module (already complete).
- Can run in parallel with: Backend API work.
## Documentation Prerequisites
- `docs/product-advisories/25-Dec-2025 - Triage UI Lessons from Competitors.md`
- `docs/modules/advisoryai/architecture.md`
- `src/VulnExplorer/StellaOps.VulnExplorer.Api/Models/` (existing models)
- Angular 17 component patterns
## Context: What Already Exists
| Component | Location | Status |
|-----------|----------|--------|
| VEX Decision Models | `VulnExplorer/Models/VexDecisionModels.cs` | COMPLETE |
| Vulnerability Models | `VulnExplorer/Models/VulnModels.cs` | COMPLETE |
| VEX Decision Store | `VulnExplorer/Data/VexDecisionStore.cs` | COMPLETE (in-memory, production uses PG) |
| AdvisoryAI Pipeline | `AdvisoryAI/Orchestration/` | COMPLETE |
| AdvisoryAI Retrievers | `AdvisoryAI/Retrievers/` | COMPLETE |
| Vulnerability Detail | `Web/features/vulnerabilities/` | PARTIAL |
| Evidence Page | `Web/features/evidence/` | PARTIAL |
| Confidence Badge | `Web/shared/components/` | COMPLETE |
This sprint creates the **unified triage canvas** that competitors lack.
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | TRIAGE-01 | TODO | None | Frontend Guild | Create `TriageCanvasComponent` container with multi-pane layout |
| 2 | TRIAGE-02 | TODO | None | Frontend Guild | Create `VulnerabilityListService` consuming VulnExplorer API |
| 3 | TRIAGE-03 | TODO | None | Frontend Guild | Create `AdvisoryAiService` consuming AdvisoryAI API endpoints |
| 4 | TRIAGE-04 | TODO | None | Frontend Guild | Create `VexDecisionService` for creating/updating VEX decisions |
| 5 | TRIAGE-05 | TODO | TRIAGE-01 | Frontend Guild | `TriageListComponent`: paginated vulnerability list with filters |
| 6 | TRIAGE-06 | TODO | TRIAGE-05 | Frontend Guild | Severity, KEV, exploitability, fix-available filter chips |
| 7 | TRIAGE-07 | TODO | TRIAGE-05 | Frontend Guild | Quick triage actions: "Mark Not Affected", "Request Analysis" |
| 8 | TRIAGE-08 | TODO | TRIAGE-01 | Frontend Guild | `TriageDetailComponent`: selected vulnerability deep-dive |
| 9 | TRIAGE-09 | TODO | TRIAGE-08 | Frontend Guild | Affected packages panel with PURL links |
| 10 | TRIAGE-10 | TODO | TRIAGE-08 | Frontend Guild | Advisory references panel with external links |
| 11 | TRIAGE-11 | TODO | TRIAGE-08 | Frontend Guild | Evidence provenance display: ledger entry, evidence bundle links |
| 12 | TRIAGE-12 | TODO | TRIAGE-08 | Frontend Guild | `ReachabilityContextComponent`: call graph slice from entry to vulnerability |
| 13 | TRIAGE-13 | TODO | TRIAGE-12 | Frontend Guild | Reachability confidence band using existing ConfidenceBadge |
| 14 | TRIAGE-14 | TODO | TRIAGE-03 | Frontend Guild | `AiRecommendationPanel`: AdvisoryAI suggestions for current vuln |
| 15 | TRIAGE-15 | TODO | TRIAGE-14 | Frontend Guild | "Why is this reachable?" AI-generated explanation |
| 16 | TRIAGE-16 | TODO | TRIAGE-14 | Frontend Guild | Suggested VEX justification from AI analysis |
| 17 | TRIAGE-17 | TODO | TRIAGE-14 | Frontend Guild | Similar vulnerabilities suggestion based on AI clustering |
| 18 | TRIAGE-18 | TODO | TRIAGE-04 | Frontend Guild | `VexDecisionModalComponent`: create VEX decision with justification |
| 19 | TRIAGE-19 | TODO | TRIAGE-18 | Frontend Guild | VEX status dropdown: NotAffected, AffectedMitigated, AffectedUnmitigated, Fixed |
| 20 | TRIAGE-20 | TODO | TRIAGE-18 | Frontend Guild | Justification type selector matching VexJustificationType enum |
| 21 | TRIAGE-21 | TODO | TRIAGE-18 | Frontend Guild | Evidence reference input: PR, Ticket, Doc, Commit links |
| 22 | TRIAGE-22 | TODO | TRIAGE-18 | Frontend Guild | Scope selector: environments and projects |
| 23 | TRIAGE-23 | TODO | TRIAGE-18 | Frontend Guild | Validity window: NotBefore/NotAfter date pickers |
| 24 | TRIAGE-24 | TODO | TRIAGE-18 | Frontend Guild | "Sign as Attestation" checkbox triggering DSSE envelope creation |
| 25 | TRIAGE-25 | TODO | TRIAGE-01 | Frontend Guild | `VexHistoryComponent`: timeline of VEX decisions for current vuln |
| 26 | TRIAGE-26 | TODO | TRIAGE-25 | Frontend Guild | "Supersedes" relationship visualization in history |
| 27 | TRIAGE-27 | TODO | TRIAGE-01 | Frontend Guild | Bulk triage: select multiple vulns, apply same VEX decision |
| 28 | TRIAGE-28 | TODO | TRIAGE-27 | Frontend Guild | Bulk action confirmation modal with impact summary |
| 29 | TRIAGE-29 | TODO | TRIAGE-01 | Frontend Guild | `TriageQueueComponent`: prioritized queue for triage workflow |
| 30 | TRIAGE-30 | TODO | TRIAGE-29 | Frontend Guild | Auto-advance to next item after triage decision |
| 31 | TRIAGE-31 | TODO | TRIAGE-01 | Frontend Guild | Keyboard shortcuts: N(next), P(prev), M(mark not affected), A(analyze) |
| 32 | TRIAGE-32 | TODO | TRIAGE-01 | Frontend Guild | Responsive layout for tablet/desktop |
| 33 | TRIAGE-33 | TODO | All above | Frontend Guild | Unit tests for all triage components |
| 34 | TRIAGE-34 | TODO | TRIAGE-33 | Frontend Guild | E2E tests: complete triage workflow |
| 35 | TRIAGE-35 | TODO | TRIAGE-34 | Frontend Guild | Integration tests: VulnExplorer and AdvisoryAI API calls |
## AdvisoryAI Integration Points
```typescript
// API endpoints from AdvisoryAI.WebService
POST /api/v1/advisory/plan // Get AI analysis plan for vulnerability
POST /api/v1/advisory/execute // Execute AI analysis
GET /api/v1/advisory/output // Retrieve AI recommendations
// Frontend service
@Injectable({ providedIn: 'root' })
export class AdvisoryAiService {
getRecommendations(vulnId: string): Observable<AiRecommendation[]>;
requestAnalysis(vulnId: string, context: AnalysisContext): Observable<TaskId>;
getExplanation(vulnId: string, question: string): Observable<AiExplanation>;
}
```
## Competitor Parity Matrix
| Competitor Feature | Implementation |
|--------------------|----------------|
| Snyk reachability graphs | TRIAGE-12: ReachabilityContextComponent |
| Snyk AI prioritization | TRIAGE-14/15/16/17: AiRecommendationPanel |
| Anchore VEX annotations | TRIAGE-18-24: VexDecisionModalComponent |
| Anchore VEX export | Existing Excititor export (no new work) |
| Prisma runtime context | Future: integrate Signals module |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-26 | Sprint created from "Triage UI Lessons from Competitors" analysis; implements unified triage canvas. | Project Mgmt |
## Decisions & Risks
- Decision needed: AI recommendation display format. Recommend: collapsible cards with confidence scores.
- Decision needed: Bulk triage limit. Recommend: 50 items max per bulk action.
- Decision needed: Triage queue algorithm. Recommend: priority by (KEV × severity × reachability).
- Risk: AdvisoryAI latency may slow triage. Mitigation: async loading, skeleton UI.
- Risk: VEX decision conflicts across users. Mitigation: optimistic locking with version check.
- Risk: Overwhelming information density. Mitigation: progressive disclosure, role-based defaults.
## Next Checkpoints
- 2026-01-08 | TRIAGE-13 complete | Core triage list and detail working |
- 2026-01-15 | TRIAGE-24 complete | VEX decisioning functional |
- 2026-01-20 | TRIAGE-35 complete | Full canvas with AI integration |

274
docs/implplan/archived/2025-12-26-completed/SPRINT_20251226_014_BINIDX_scanner_integration.md Normal file
View File

@@ -0,0 +1,274 @@
# SPRINT_20251226_014_BINIDX_scanner_integration
> **Status:** TODO
> **Priority:** P1
> **Module:** BinaryIndex, Scanner
> **Created:** 2025-12-26
> **Depends On:** [`SPRINT_20251226_013_BINIDX_fingerprint_factory.md`](./SPRINT_20251226_013_BINIDX_fingerprint_factory.md)
> **Architecture:** [`docs/modules/binaryindex/architecture.md`](../modules/binaryindex/architecture.md), [`docs/modules/scanner/architecture.md`](../modules/scanner/architecture.md)
---
## Topic & Scope
Implement **Full Scanner Integration** - the fourth MVP tier that brings binary evidence into production scans with proper attestation and findings ledger integration.
**Goal:** Binary vulnerability matches appear in scan results with cryptographic evidence.
**Working directories:**
- `src/BinaryIndex/`
- `src/Scanner/`
- `src/Attestor/`
---
## Documentation Prerequisites
- `docs/modules/binaryindex/architecture.md`
- `docs/modules/scanner/architecture.md`
- `docs/modules/attestor/architecture.md`
- `src/Scanner/StellaOps.Scanner.Worker/`
---
## Delivery Tracker
| # | Task ID | Status | Depends | Owner | Description |
|---|---------|--------|---------|-------|-------------|
| 1 | SCANINT-01 | TODO | None | BE Guild | Add BinaryIndex service registration to Scanner.Worker |
| 2 | SCANINT-02 | TODO | SCANINT-01 | BE Guild | Create `IBinaryLookupStep` in scan pipeline |
| 3 | SCANINT-03 | TODO | SCANINT-02 | BE Guild | Implement binary extraction from container layers |
| 4 | SCANINT-04 | TODO | SCANINT-03 | BE Guild | Integrate `BinaryIdentityService` for identity extraction |
| 5 | SCANINT-05 | TODO | SCANINT-04 | BE Guild | Call `LookupByIdentityAsync` for each extracted binary |
| 6 | SCANINT-06 | TODO | SCANINT-05 | BE Guild | Call `GetFixStatusAsync` for distro-aware backport check |
| 7 | SCANINT-07 | TODO | SCANINT-05 | BE Guild | Call `LookupByFingerprintAsync` for fingerprint matching |
| 8 | SCANINT-08 | TODO | All | BE Guild | Create `BinaryFindingMapper` to convert matches to findings |
| 9 | SCANINT-09 | TODO | SCANINT-08 | BE Guild | Integrate with Findings Ledger for persistence |
| 10 | SCANINT-10 | TODO | None | BE Guild | Create `binary_fingerprint_evidence` proof segment type |
| 11 | SCANINT-11 | TODO | SCANINT-10 | BE Guild | Implement proof segment generation in Attestor |
| 12 | SCANINT-12 | TODO | SCANINT-11 | BE Guild | Sign binary evidence with DSSE |
| 13 | SCANINT-13 | TODO | SCANINT-12 | BE Guild | Attach binary attestation as OCI referrer |
| 14 | SCANINT-14 | TODO | None | CLI Guild | Add `stella binary inspect` CLI command |
| 15 | SCANINT-15 | TODO | SCANINT-14 | CLI Guild | Add `stella binary lookup <build-id>` command |
| 16 | SCANINT-16 | TODO | SCANINT-14 | CLI Guild | Add `stella binary fingerprint <file>` command |
| 17 | SCANINT-17 | TODO | None | FE Guild | Add "Binary Evidence" tab to scan results UI |
| 18 | SCANINT-18 | TODO | SCANINT-17 | FE Guild | Display "Backported & Safe" badge for fixed binaries |
| 19 | SCANINT-19 | TODO | SCANINT-17 | FE Guild | Display "Affected & Reachable" badge for vulnerable binaries |
| 20 | SCANINT-20 | TODO | All | BE Guild | Add performance benchmarks for binary lookup |
| 21 | SCANINT-21 | TODO | All | BE Guild | Add Valkey cache layer for hot lookups |
| 22 | SCANINT-22 | TODO | All | QA | Add E2E tests for complete scan with binary evidence |
| 23 | SCANINT-23 | TODO | All | QA | Add determinism tests for binary verdict reproducibility |
| 24 | SCANINT-24 | TODO | All | Docs | Update Scanner architecture with binary lookup flow |
| 25 | SCANINT-25 | TODO | All | Docs | Create binary evidence user guide |
**Total Tasks:** 25
---
## Task Details
### SCANINT-02: IBinaryLookupStep
Create pipeline step for binary vulnerability lookup during scan.
**Interface:**
```csharp
public interface IBinaryLookupStep : IScanPipelineStep
{
Task<BinaryLookupResult> LookupAsync(
ExtractedBinary binary,
ScanContext context,
CancellationToken ct);
}
public sealed record BinaryLookupResult(
BinaryIdentity Identity,
ImmutableArray<BinaryVulnMatch> Matches,
ImmutableArray<FixRecord> FixStatuses);
```
**Location:** `src/Scanner/StellaOps.Scanner.Worker/Pipeline/BinaryLookupStep.cs`
---
### SCANINT-03: Binary Extraction from Layers
Extract binaries from container image layers for analysis.
**Requirements:**
- Identify ELF/PE/Mach-O files in layers
- Skip small files (< 4KB)
- Limit to executable sections
- Track layer origin for provenance
**Performance Target:** < 100ms per binary extraction
---
### SCANINT-08: BinaryFindingMapper
Convert binary matches to standard findings format.
**Mapping:**
```csharp
public Finding MapToFinding(BinaryVulnMatch match, BinaryIdentity identity)
{
return new Finding
{
Id = GenerateFindingId(match, identity),
Type = FindingType.BinaryVulnerability,
Severity = GetSeverityFromCve(match.CveId),
Title = $"Binary contains vulnerable code: {match.CveId}",
Description = GenerateDescription(match),
Evidence = new BinaryFindingEvidence
{
BinaryKey = identity.BinaryKey,
BuildId = identity.BuildId,
MatchMethod = match.Method,
Confidence = match.Confidence
},
Remediation = GenerateRemediation(match)
};
}
```
---
### SCANINT-10: binary_fingerprint_evidence Proof Segment
Create new proof segment type for binary evidence.
**Schema:**
```json
{
"segment_type": "binary_fingerprint_evidence",
"version": "1.0.0",
"payload": {
"binary_identity": {
"format": "elf",
"build_id": "abc123...",
"file_sha256": "def456...",
"architecture": "x86_64"
},
"layer_digest": "sha256:...",
"matches": [
{
"cve_id": "CVE-2024-1234",
"method": "buildid_catalog",
"confidence": 0.98,
"vulnerable_purl": "pkg:deb/debian/libssl3@1.1.1n-0+deb11u3",
"fix_status": {
"state": "fixed",
"fixed_version": "1.1.1n-0+deb11u4",
"method": "changelog",
"confidence": 0.85
}
}
]
}
}
```
---
### SCANINT-14: CLI Binary Inspect Command
Add CLI commands for binary analysis.
**Commands:**
```bash
# Inspect binary identity
stella binary inspect /path/to/binary
# Output: Build-ID, hashes, architecture, format
# Lookup vulnerabilities by Build-ID
stella binary lookup abc123def456...
# Output: CVE matches, fix status
# Generate fingerprint for binary
stella binary fingerprint /path/to/binary --algorithm combined
# Output: Fingerprint ID, algorithm, hash
```
---
### SCANINT-17: Binary Evidence UI Tab
Add UI component for viewing binary evidence in scan results.
**Requirements:**
- List binaries found in image
- Show Build-ID, path, layer
- Display vulnerability matches with confidence
- Show backport status badges
- Drill-down to proof chain
---
### SCANINT-18-19: Status Badges
Display clear status badges for binary findings.
**Badge Types:**
| Badge | Color | Meaning |
|-------|-------|---------|
| Backported & Safe | Green | Distro backported the fix |
| Affected & Reachable | Red | Vulnerable and in code path |
| Affected (Low Priority) | Orange | Vulnerable but unreachable |
| Unknown | Gray | Could not determine status |
---
### SCANINT-21: Valkey Cache Layer
Add caching for frequently looked up binaries.
**Cache Strategy:**
- Key: `binary:{tenant}:{build_id}`
- TTL: 1 hour (configurable)
- Invalidate on corpus update
- Cache hit target: > 80% for repeat scans
---
## Acceptance Criteria
1. **Scanner pipeline** includes binary lookup step
2. **Binary findings** appear in scan results
3. **Proof segments** generated with DSSE signatures
4. **OCI attestation** attached to image
5. **CLI commands** work for binary analysis
6. **UI displays** binary evidence tab
7. **Status badges** show backport status
8. **Cache hit rate** > 80% for repeat scans
9. **E2E tests** pass for complete workflow
10. **Determinism tests** pass for reproducibility
---
## Decisions & Risks
| ID | Decision/Risk | Status | Notes |
|----|---------------|--------|-------|
| D1 | Binary lookup runs in parallel with package scan | DECIDED | No blocking |
| D2 | Default to buildid_catalog method first | DECIDED | Fastest path |
| R1 | Large images may have many binaries | OPEN | Add binary count limit (1000) |
| R2 | Cache invalidation on corpus update | OPEN | Use pub/sub notification |
| R3 | Performance impact on scan time | OPEN | Target < 5% overhead |
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-26 | Sprint created from BinaryIndex MVP roadmap. | Project Mgmt |
---
## Related Documentation
- [BinaryIndex Architecture](../modules/binaryindex/architecture.md)
- [Scanner Architecture](../modules/scanner/architecture.md)
- [Attestor Architecture](../modules/attestor/architecture.md)
- [Proof Chain Specification](../modules/attestor/proof-chain-specification.md)

127
docs/implplan/archived/2025-12-26-completed/SPRINT_20251226_014_DOCS_triage_consolidation.md Normal file
View File

@@ -0,0 +1,127 @@
# Sprint 20251226 · Triage UI Advisory and Documentation Consolidation
## Topic & Scope
- Consolidate 3 overlapping triage/visualization advisories into unified documentation.
- Create authoritative "Unified Triage Experience" specification.
- Update smart-diff-ui-architecture.md to reflect current sprint structure.
- Archive original advisories with cross-reference preservation.
- **Working directory:** `docs/product-advisories/`, `docs/modules/web/`
## Dependencies & Concurrency
- No technical dependencies; documentation-only sprint.
- Can run in parallel with: SPRINT_20251226_012_FE, SPRINT_20251226_013_FE.
- Should reference implementation status from UI sprints.
## Documentation Prerequisites
- All source advisories (listed below)
- Existing web module docs:
- `docs/modules/web/smart-diff-ui-architecture.md`
- `docs/modules/web/README.md`
## Advisories to Consolidate
| Advisory | Primary Concepts | Keep Verbatim |
|----------|------------------|---------------|
| `25-Dec-2025 - Triage UI Lessons from Competitors.md` | Snyk/Anchore/Prisma analysis, 4 recommendations | Competitor feature matrix |
| `25-Dec-2025 - Visual Diffs for Explainable Triage.md` | Side-by-side panes, evidence strip, micro-interactions | Data model sketch, UI concept |
| `26-Dec-2026 - Visualizing the Risk Budget.md` | Burn-up charts, heatmaps, exception ledger | Chart design, compute formulas |
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | TDOC-01 | DONE | None | Project Mgmt | Create master document structure: `docs/modules/web/unified-triage-specification.md` |
| 2 | TDOC-02 | DONE | TDOC-01 | Project Mgmt | Merge competitor analysis section from "Triage UI Lessons" |
| 3 | TDOC-03 | DONE | TDOC-01 | Project Mgmt | Merge visual diff concepts from "Visual Diffs for Explainable Triage" |
| 4 | TDOC-04 | DONE | TDOC-01 | Project Mgmt | Merge risk budget visualization from "Visualizing the Risk Budget" |
| 5 | TDOC-05 | DONE | TDOC-04 | Project Mgmt | Add implementation status matrix (what exists vs gaps) |
| 6 | TDOC-06 | DONE | TDOC-05 | Project Mgmt | Map advisory concepts to sprint tasks (SPRINT_012, SPRINT_013, SPRINT_004) |
| 7 | TDOC-07 | DONE | TDOC-06 | Project Mgmt | Update `smart-diff-ui-architecture.md` sprint references to current format |
| 8 | TDOC-08 | DONE | TDOC-07 | Project Mgmt | Create archive directory: `archived/2025-12-26-triage-advisories/` |
| 9 | TDOC-09 | DONE | TDOC-08 | Project Mgmt | Move 3 original advisories to archive |
| 10 | TDOC-10 | DONE | TDOC-09 | Project Mgmt | Add README in archive explaining consolidation |
| 11 | TDOC-11 | DONE | TDOC-05 | Frontend Guild | Create `docs/modules/web/triage-component-catalog.md` |
| 12 | TDOC-12 | DONE | TDOC-11 | Frontend Guild | Document all triage-related Angular components and their relationships |
| 13 | TDOC-13 | DONE | TDOC-11 | Frontend Guild | Add component interaction diagrams |
| 14 | TDOC-14 | DONE | TDOC-09 | Project Mgmt | Update cross-references in `docs/modules/web/README.md` |
| 15 | TDOC-15 | DONE | TDOC-09 | Project Mgmt | Update cross-references in `docs/modules/vulnexplorer/` if exists |
| 16 | TDOC-16 | DONE | All above | Project Mgmt | Final review of consolidated documentation |
## Consolidated Document Structure
```markdown
# Unified Triage Experience Specification
## 1. Executive Summary
- Problem: Disparate triage tools, siloed insights
- Solution: Unified canvas with evidence, VEX, and AI
## 2. Competitive Landscape (from "Triage UI Lessons")
- Snyk: reachability + continuous context
- Anchore: vulnerability annotations + VEX export
- Prisma Cloud: runtime defense
- Stella Ops differentiation
## 3. Core UI Concepts (from "Visual Diffs")
- Side-by-side panes: Before vs After
- Graph focus: dependency/reachability subgraph
- Evidence strip: human-readable facts
- Diff verdict header
- Filter chips
## 4. Risk Budget Visualization (from "Visualizing Risk Budget")
- Heatmap of Unknowns
- Delta Table (Risk Decay per Release)
- Exception Ledger
- Burn-Up Chart specification
- Computation formulas
## 5. Implementation Components
- Smart-Diff Compare View (SPRINT_012_FE)
- Unified Triage Canvas (SPRINT_013_FE)
- Risk Dashboard (SPRINT_004_FE)
## 6. Data Models
- GraphSnapshot
- PolicySnapshot
- Delta
- EvidenceItems[]
- SignedDeltaVerdict
## 7. API Integration
- VulnExplorer endpoints
- AdvisoryAI endpoints
- Delta computation endpoints
## 8. Implementation Status
- Complete components
- In-progress sprints
- Planned work
## 9. Testing Strategy
- Unit tests
- E2E tests
- Accessibility tests
## 10. References
- Sprint links
- Archived advisories
```
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-26 | Sprint created from advisory analysis; consolidates 3 overlapping triage/visualization advisories. | Project Mgmt |
| 2025-12-26 | Created triage-component-catalog.md with component hierarchy, container/presentation components, services, interaction diagrams, accessibility requirements (TDOC-11/12/13). | Impl |
| 2025-12-26 | Updated smart-diff-ui-architecture.md sprint references to current format, added links to unified specification and component catalog (TDOC-07). | Impl |
| 2025-12-26 | Updated web README with triage experience features and proper cross-references (TDOC-14). TDOC-15 N/A (vulnexplorer docs don't exist). Sprint complete. | Impl |
## Decisions & Risks
- Decision: Archive location. Recommend: `archived/2025-12-26-triage-advisories/` with README.
- Decision: Keep smart-diff-ui-architecture.md or merge into unified spec. Recommend: Keep as reference, add link to unified spec.
- Risk: Broken cross-references after archival. Mitigation: grep all docs for advisory filenames before archiving.
- Risk: Loss of nuance from individual advisories. Mitigation: preserve verbatim sections as noted.
## Next Checkpoints
- 2025-12-28 | TDOC-06 complete | All content merged with sprint mapping |
- 2025-12-29 | TDOC-10 complete | Advisories archived |
- 2025-12-30 | TDOC-16 complete | Final review and publication |