save progress

2026-01-03 12:41:57 +02:00
parent 83c37243e0
commit d486d41a48
48 changed files with 7174 additions and 1086 deletions
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Triage/Migrations/V3700_001__triage_schema.sql
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Triage/Migrations/V3700_001__triage_schema.sql
@@ -2,8 +2,6 @@
 -- Generated from docs/db/triage_schema.sql
 -- Version: 1.0.0

-BEGIN;
-
 -- Extensions
 CREATE EXTENSION IF NOT EXISTS pgcrypto;

@@ -64,6 +62,27 @@ BEGIN
  END IF;
 END $$;

+-- Scan metadata
+CREATE TABLE IF NOT EXISTS triage_scan (
+  id                  uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  image_reference      text NOT NULL,
+  image_digest         text NULL,
+  target_digest        text NULL,
+  target_reference     text NULL,
+  knowledge_snapshot_id text NULL,
+  started_at           timestamptz NOT NULL DEFAULT now(),
+  completed_at         timestamptz NULL,
+  status               text NOT NULL,
+  policy_hash          text NULL,
+  feed_snapshot_hash   text NULL,
+  snapshot_created_at  timestamptz NULL,
+  feed_versions        jsonb NULL,
+  snapshot_content_hash text NULL,
+  final_digest         text NULL,
+  feed_snapshot_at     timestamptz NULL,
+  offline_bundle_id    text NULL
+);
+
 -- Core: finding (caseId == findingId)
 CREATE TABLE IF NOT EXISTS triage_finding (
  id              uuid PRIMARY KEY DEFAULT gen_random_uuid(),
@@ -73,8 +92,18 @@ CREATE TABLE IF NOT EXISTS triage_finding (
  purl             text NOT NULL,
  cve_id           text NULL,
  rule_id          text NULL,
+  artifact_digest  text NULL,
+  scan_id          uuid NULL,
  first_seen_at    timestamptz NOT NULL DEFAULT now(),
  last_seen_at     timestamptz NOT NULL DEFAULT now(),
+  updated_at       timestamptz NOT NULL DEFAULT now(),
+  status           text NULL,
+  is_muted         boolean NOT NULL DEFAULT false,
+  is_backport_fixed boolean NOT NULL DEFAULT false,
+  fixed_in_version text NULL,
+  superseded_by    text NULL,
+  delta_comparison_id uuid NULL,
+  knowledge_snapshot_id text NULL,
  UNIQUE (asset_id, environment_id, purl, cve_id, rule_id)
 );

@@ -83,6 +112,29 @@ CREATE INDEX IF NOT EXISTS ix_triage_finding_asset_label ON triage_finding (asse
 CREATE INDEX IF NOT EXISTS ix_triage_finding_purl ON triage_finding (purl);
 CREATE INDEX IF NOT EXISTS ix_triage_finding_cve ON triage_finding (cve_id);

+ALTER TABLE triage_finding ADD COLUMN IF NOT EXISTS artifact_digest text NULL;
+ALTER TABLE triage_finding ADD COLUMN IF NOT EXISTS scan_id uuid NULL;
+ALTER TABLE triage_finding ADD COLUMN IF NOT EXISTS updated_at timestamptz NOT NULL DEFAULT now();
+ALTER TABLE triage_finding ADD COLUMN IF NOT EXISTS status text NULL;
+ALTER TABLE triage_finding ADD COLUMN IF NOT EXISTS is_muted boolean NOT NULL DEFAULT false;
+ALTER TABLE triage_finding ADD COLUMN IF NOT EXISTS is_backport_fixed boolean NOT NULL DEFAULT false;
+ALTER TABLE triage_finding ADD COLUMN IF NOT EXISTS fixed_in_version text NULL;
+ALTER TABLE triage_finding ADD COLUMN IF NOT EXISTS superseded_by text NULL;
+ALTER TABLE triage_finding ADD COLUMN IF NOT EXISTS delta_comparison_id uuid NULL;
+ALTER TABLE triage_finding ADD COLUMN IF NOT EXISTS knowledge_snapshot_id text NULL;
+
+DO $$
+BEGIN
+  IF NOT EXISTS (
+    SELECT 1 FROM pg_constraint
+    WHERE conname = 'fk_triage_finding_scan'
+  ) THEN
+    ALTER TABLE triage_finding
+      ADD CONSTRAINT fk_triage_finding_scan
+      FOREIGN KEY (scan_id) REFERENCES triage_scan(id) ON DELETE SET NULL;
+  END IF;
+END $$;
+
 -- Effective VEX (post-merge)
 CREATE TABLE IF NOT EXISTS triage_effective_vex (
  id                uuid PRIMARY KEY DEFAULT gen_random_uuid(),
@@ -196,6 +248,32 @@ CREATE TABLE IF NOT EXISTS triage_snapshot (
 CREATE INDEX IF NOT EXISTS ix_triage_snapshot_finding ON triage_snapshot (finding_id, created_at DESC);
 CREATE INDEX IF NOT EXISTS ix_triage_snapshot_trigger ON triage_snapshot (trigger, created_at DESC);

+-- Policy decisions
+CREATE TABLE IF NOT EXISTS triage_policy_decision (
+  id          uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  finding_id  uuid NOT NULL REFERENCES triage_finding(id) ON DELETE CASCADE,
+  policy_id   text NOT NULL,
+  action      text NOT NULL,
+  reason      text NULL,
+  applied_at  timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE INDEX IF NOT EXISTS ix_triage_policy_decision_finding ON triage_policy_decision (finding_id, applied_at DESC);
+
+-- Attestations
+CREATE TABLE IF NOT EXISTS triage_attestation (
+  id           uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  finding_id   uuid NOT NULL REFERENCES triage_finding(id) ON DELETE CASCADE,
+  type         text NOT NULL,
+  issuer       text NULL,
+  envelope_hash text NULL,
+  content_ref  text NULL,
+  ledger_ref   text NULL,
+  collected_at timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE INDEX IF NOT EXISTS ix_triage_attestation_finding ON triage_attestation (finding_id, collected_at DESC);
+
 -- Current-case view
 CREATE OR REPLACE VIEW v_triage_case_current AS
 WITH latest_risk AS (
@@ -246,4 +324,3 @@ LEFT JOIN latest_risk r ON r.finding_id = f.id
 LEFT JOIN latest_reach re ON re.finding_id = f.id
 LEFT JOIN latest_vex v ON v.finding_id = f.id;

-COMMIT;