Rename Vexer to Excititor
This commit is contained in:
master
@@ -37,7 +37,7 @@ It **absorbs** all content from `components.md` so you have a single, authoritat
|
||||
| **Scanner.Sbomer.BuildXPlugin** | `stellaops/sbom-indexer` | BuildKit **generator** for build‑time SBOMs as OCI **referrers**. | CI‑side; ephemeral. |
|
||||
| **Scanner.Sbomer.DockerImage** | `stellaops/scanner-cli` | CLI‑orchestrated scanner container for post‑build scans. | Local/CI; ephemeral. |
|
||||
| **Feedser.WebService** | `stellaops/feedser-web` | Vulnerability ingest/normalize/merge/export (JSON + Trivy DB). | HA via Mongo locks. |
|
||||
| **Vexer.WebService** | `stellaops/vexer-web` | VEX ingest/normalize/consensus; conflict retention; exports. | HA via Mongo locks. |
|
||||
| **Excititor.WebService** | `stellaops/excititor-web` | VEX ingest/normalize/consensus; conflict retention; exports. | HA via Mongo locks. |
|
||||
| **Policy Engine** | (in `scanner-web`) | YAML DSL evaluator (waivers, vendor preferences, KEV/EPSS, license, usage‑gating); produces **policy digest**. | In‑process; cache per digest. |
|
||||
| **Signer** | `stellaops/signer` | **Hard gate:** validates entitlement + release integrity; mints signing cert (Fulcio keyless) or uses KMS; signs DSSE. | Stateless; HPA by QPS. |
|
||||
| **Attestor** | `stellaops/attestor` | Posts DSSE bundles to **Rekor v2**; verification endpoints. | Stateless; HPA by QPS. |
|
||||
@@ -72,7 +72,7 @@ flowchart LR
|
||||
SW[Scanner.WebService]
|
||||
WK[Scanner.Worker xN]
|
||||
FEED[Feedser]
|
||||
VEX[Vexer]
|
||||
VEX[Excititor]
|
||||
POL[Policy Engine (in Scanner.Web)]
|
||||
SGN[Signer\n(entitlement + signing)]
|
||||
ATT[Attestor\n(Rekor v2 submit/verify)]
|
||||
@@ -182,7 +182,7 @@ LS --> IA: PoE (mTLS client cert or JWT with cnf=K_inst), CRL/OCSP/introspect
|
||||
* Ingests vendor, distro, OSS feeds; normalizes & merges; persists canonical advisories in Mongo; exports **deterministic JSON** and **Trivy DB**.
|
||||
* Offline kit bundles for air‑gapped sites.
|
||||
|
||||
### 4.2 Vexer (VEX)
|
||||
### 4.2 Excititor (VEX)
|
||||
|
||||
* Ingests **OpenVEX / CSAF VEX / CycloneDX VEX**; normalizes claims; retains conflicts; computes **consensus** with provider trust weights and justification gates.
|
||||
|
||||
@@ -195,7 +195,7 @@ LS --> IA: PoE (mTLS client cert or JWT with cnf=K_inst), CRL/OCSP/introspect
|
||||
### 4.4 PASS/FAIL flow
|
||||
|
||||
1. SBOM (Inventory / Usage) → join with **Feedser** advisories.
|
||||
2. Apply **Vexer** consensus (statuses & justifications).
|
||||
2. Apply **Excititor** consensus (statuses & justifications).
|
||||
3. Apply **Policy**; compute PASS/FAIL with waiver TTLs.
|
||||
4. Sign the **final report** (DSSE via **Signer**) and log to **Rekor v2** via **Attestor**.
|
||||
|
||||
@@ -350,8 +350,8 @@ services:
|
||||
deploy: { replicas: 4 }
|
||||
depends_on: [scanner-web]
|
||||
feedser: { image: stellaops/feedser-web, depends_on: [mongo] }
|
||||
vexer: { image: stellaops/vexer-web, depends_on: [mongo] }
|
||||
ui: { image: stellaops/ui, depends_on: [scanner-web, feedser, vexer] }
|
||||
excititor: { image: stellaops/excititor-web, depends_on: [mongo] }
|
||||
ui: { image: stellaops/ui, depends_on: [scanner-web, feedser, excititor] }
|
||||
```
|
||||
|
||||
* **Backups:** Mongo dumps; MinIO versioned buckets & replication; Rekor v2 DB snapshots; JWKS/Fulcio/KMS key rotation.
|
||||
@@ -373,7 +373,7 @@ services:
|
||||
* M2: Buildx generator certified flows; cross‑registry trust policies.
|
||||
* M3: Patch‑Presence plugin (signature‑based backport detection), opt‑in.
|
||||
* M3: Zastava Admission control GA with policy presets and dry‑run→enforce stages.
|
||||
* Continuous: Policy UX (waiver TTLs, vendor rules), Vexer connectors expansion.
|
||||
* Continuous: Policy UX (waiver TTLs, vendor rules), Excititor connectors expansion.
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user