docs consolidation, big sln build fixes, new advisories and sprints/tasks

2026-01-05 18:37:04 +02:00
parent d0a7b88398
commit d7bdca6d97
175 changed files with 10322 additions and 307 deletions
--- a/docs/modules/sbom-service/fixtures/lnm-v1/README.md
+++ b/docs/modules/sbom-service/fixtures/lnm-v1/README.md
@@ -0,0 +1,21 @@
+# Link-Not-Merge v1 Fixtures
+
+Status: Awaiting drop (2025-11-22)
+
+Expected contents (all JSON, canonicalized, UTF-8):
+- `projections.json` — canonical SBOM projection payloads keyed by snapshot ID.
+- `assets.json` — asset metadata overlays (tenant-scoped, append-only).
+- `paths.json` — ordered dependency paths with runtime flags and blast-radius hints.
+- `events.json` — `sbom.version.created` envelopes aligned to CAS/provenance fields.
+- `schema-version.txt` — git SHA / semantic version of the frozen projection schema.
+- `SHA256SUMS` — checksums for all files above.
+
+Drop instructions:
+- Place files in this directory and update `SHA256SUMS` via `sha256sum *.json *.txt > SHA256SUMS`.
+- Keep ordering stable; prefer NDJSON converted to JSON arrays only if deterministic sorting is applied.
+- Record drop commit in sprint 0140/0142 Execution Logs and link here.
+
+Consumers:
+- SBOM-SERVICE-21-001..004 implementation and tests.
+- Advisory AI and Console replay suites.
+- AirGap parity review (`docs/modules/sbomservice/runbooks/airgap-parity-review.md`).
--- a/docs/modules/sbom-service/fixtures/lnm-v1/SHA256SUMS
+++ b/docs/modules/sbom-service/fixtures/lnm-v1/SHA256SUMS
@@ -0,0 +1,2 @@
+# SHA256 hashes for LNM v1 fixtures (recorded 2025-11-23)
+docs/modules/sbomservice/fixtures/lnm-v1/projections.json	a469347019b0cf8d07ded0adce2b1590bbb089e3b306e7a7195b94341aeef18d
--- a/docs/modules/sbom-service/fixtures/lnm-v1/catalog.json
+++ b/docs/modules/sbom-service/fixtures/lnm-v1/catalog.json
@@ -0,0 +1,47 @@
+[
+  {
+    "artifact": "ghcr.io/stellaops/sample-api",
+    "sbomVersion": "2025.11.16.1",
+    "digest": "sha256:112",
+    "license": "MIT",
+    "scope": "runtime",
+    "assetTags": {
+      "owner": "payments",
+      "criticality": "high",
+      "env": "prod"
+    },
+    "createdAt": "2025-11-16T12:00:00Z",
+    "projectionHash": "sha256:proj112",
+    "evaluationMetadata": "eval:passed:v1"
+  },
+  {
+    "artifact": "ghcr.io/stellaops/sample-api",
+    "sbomVersion": "2025.11.15.1",
+    "digest": "sha256:111",
+    "license": "MIT",
+    "scope": "runtime",
+    "assetTags": {
+      "owner": "payments",
+      "criticality": "high",
+      "env": "prod"
+    },
+    "createdAt": "2025-11-15T12:00:00Z",
+    "projectionHash": "sha256:proj111",
+    "evaluationMetadata": "eval:passed:v1"
+  },
+  {
+    "artifact": "ghcr.io/stellaops/sample-worker",
+    "sbomVersion": "2025.11.12.0",
+    "digest": "sha256:222",
+    "license": "Apache-2.0",
+    "scope": "runtime",
+    "assetTags": {
+      "owner": "platform",
+      "criticality": "medium",
+      "env": "staging"
+    },
+    "createdAt": "2025-11-12T08:00:00Z",
+    "projectionHash": "sha256:proj222",
+    "evaluationMetadata": "eval:pending:v1"
+  }
+]
--- a/docs/modules/sbom-service/fixtures/lnm-v1/component_lookup.json
+++ b/docs/modules/sbom-service/fixtures/lnm-v1/component_lookup.json
@@ -0,0 +1,38 @@
+[
+  {
+    "artifact": "ghcr.io/stellaops/sample-api",
+    "purl": "pkg:npm/lodash@4.17.21",
+    "neighborPurl": "pkg:npm/express@4.18.2",
+    "relationship": "DEPENDS_ON",
+    "license": "MIT",
+    "scope": "runtime",
+    "runtimeFlag": true
+  },
+  {
+    "artifact": "ghcr.io/stellaops/sample-api",
+    "purl": "pkg:npm/lodash@4.17.21",
+    "neighborPurl": "pkg:npm/rollup@3.0.0",
+    "relationship": "DEPENDS_ON",
+    "license": "MIT",
+    "scope": "build",
+    "runtimeFlag": false
+  },
+  {
+    "artifact": "ghcr.io/stellaops/sample-api",
+    "purl": "pkg:npm/lodash@4.17.21",
+    "neighborPurl": "pkg:npm/react@18.2.0",
+    "relationship": "DEPENDS_ON",
+    "license": "MIT",
+    "scope": "runtime",
+    "runtimeFlag": true
+  },
+  {
+    "artifact": "ghcr.io/stellaops/sample-worker",
+    "purl": "pkg:nuget/Newtonsoft.Json@13.0.2",
+    "neighborPurl": "pkg:nuget/StellaOps.Core@1.0.0",
+    "relationship": "DEPENDS_ON",
+    "license": "Apache-2.0",
+    "scope": "runtime",
+    "runtimeFlag": true
+  }
+]
--- a/docs/modules/sbom-service/fixtures/lnm-v1/projections.json
+++ b/docs/modules/sbom-service/fixtures/lnm-v1/projections.json
@@ -0,0 +1 @@
+[{"snapshotId":"snap-001","tenantId":"tenant-a","projection":{"purl":"pkg:npm/lodash@4.17.21","paths":[],"metadata":{"schemaVersion":"1.0.0","asset":{"criticality":"high","owner":"team-console","environment":"prod","exposure":["internet","pci"],"tags":{"tier":"1","service":"sample-api"}}}}}]
				`@@ -0,0 +1 @@`
				`[{"snapshotId":"snap-001","tenantId":"tenant-a","projection":{"purl":"pkg:npm/lodash@4.17.21","paths":[],"metadata":{"schemaVersion":"1.0.0","asset":{"criticality":"high","owner":"team-console","environment":"prod","exposure":["internet","pci"],"tags":{"tier":"1","service":"sample-api"}}}}}]`