stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat: Add native binary analyzer test utilities and implement SM2 signing tests
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details

Browse Source 
- Introduced `NativeTestBase` class for ELF, PE, and Mach-O binary parsing helpers and assertions.
- Created `TestCryptoFactory` for SM2 cryptographic provider setup and key generation.
- Implemented `Sm2SigningTests` to validate signing functionality with environment gate checks.
- Developed console export service and store with comprehensive unit tests for export status management.
This commit is contained in:
StellaOps Bot
2025-12-07 13:12:41 +02:00
parent d907729778
commit e53a282fbe
387 changed files with 21941 additions and 1518 deletions
Download Patch File Download Diff File Expand all files Collapse all files

356
docs/modules/evidence-locker/bundle-packaging.schema.json Normal file
View File

@@ -0,0 +1,356 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stellaops.org/schemas/evidence-locker/bundle-packaging.v1.schema.json",
"title": "EvidenceLocker Bundle Packaging Schema",
"description": "Defines the structure of sealed evidence bundle packages (.tgz) produced by the EvidenceLocker module. These bundles are deterministic, signed, and suitable for offline verification, forensic handoff, and air-gapped import.",
"type": "object",
"required": ["bundleArchive"],
"$defs": {
"bundleKind": {
"type": "integer",
"enum": [1, 2, 3],
"description": "Evidence bundle kind: 1=Evaluation, 2=Job, 3=Export"
},
"bundleStatus": {
"type": "integer",
"enum": [1, 2, 3, 4, 5],
"description": "Evidence bundle status: 1=Pending, 2=Assembling, 3=Sealed, 4=Failed, 5=Archived"
},
"sha256Hash": {
"type": "string",
"pattern": "^[a-f0-9]{64}$",
"description": "SHA-256 hash in lowercase hexadecimal (64 characters)"
},
"uuid": {
"type": "string",
"format": "uuid",
"description": "UUID in standard format (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)"
},
"iso8601DateTime": {
"type": "string",
"format": "date-time",
"description": "ISO 8601 date-time string with timezone"
},
"manifestEntry": {
"type": "object",
"title": "Manifest Entry",
"description": "An individual artifact entry within the evidence bundle manifest",
"required": ["section", "canonicalPath", "sha256", "sizeBytes"],
"properties": {
"section": {
"type": "string",
"description": "Logical section grouping (e.g., 'sbom', 'vex', 'attestation', 'advisory', 'policy')",
"minLength": 1,
"examples": ["sbom", "vex", "attestation", "advisory", "policy", "scan-results"]
},
"canonicalPath": {
"type": "string",
"description": "Canonical path within the bundle namespace (deterministic ordering key)",
"pattern": "^[a-zA-Z0-9/_.-]+$",
"examples": ["sbom/cyclonedx.json", "attestation/provenance.dsse"]
},
"sha256": {
"$ref": "#/$defs/sha256Hash"
},
"sizeBytes": {
"type": "integer",
"minimum": 0,
"description": "Size of the artifact in bytes"
},
"mediaType": {
"type": ["string", "null"],
"description": "MIME type of the artifact content",
"examples": ["application/json", "application/vnd.cyclonedx+json", "application/vnd.in-toto+dsse"]
},
"attributes": {
"type": ["object", "null"],
"additionalProperties": { "type": "string" },
"description": "Optional key-value attributes for the artifact (e.g., format version, provenance hints)"
}
},
"additionalProperties": false
},
"manifestDocument": {
"type": "object",
"title": "Bundle Manifest",
"description": "The manifest.json file embedded in the bundle package, containing the Merkle tree leaf entries",
"required": ["bundleId", "tenantId", "kind", "createdAt"],
"properties": {
"bundleId": {
"$ref": "#/$defs/uuid"
},
"tenantId": {
"$ref": "#/$defs/uuid"
},
"kind": {
"$ref": "#/$defs/bundleKind"
},
"createdAt": {
"$ref": "#/$defs/iso8601DateTime"
},
"metadata": {
"type": ["object", "null"],
"additionalProperties": { "type": "string" },
"description": "Optional bundle-level metadata key-value pairs"
},
"entries": {
"type": ["array", "null"],
"items": {
"$ref": "#/$defs/manifestEntry"
},
"description": "Array of manifest entries (artifacts) in the bundle"
}
},
"additionalProperties": false
},
"signatureDocument": {
"type": "object",
"title": "Bundle Signature",
"description": "The signature.json file embedded in the bundle package, containing DSSE envelope and optional RFC3161 timestamp",
"required": ["payloadType", "payload", "signature", "algorithm", "provider", "signedAt"],
"properties": {
"payloadType": {
"type": "string",
"description": "DSSE payload type URI",
"examples": ["application/vnd.stellaops.evidence-bundle.manifest+json"]
},
"payload": {
"type": "string",
"contentEncoding": "base64",
"description": "Base64-encoded payload (the manifest JSON)"
},
"signature": {
"type": "string",
"description": "Cryptographic signature over the payload"
},
"keyId": {
"type": ["string", "null"],
"description": "Key identifier for signature verification (e.g., Fulcio certificate fingerprint, key alias)"
},
"algorithm": {
"type": "string",
"description": "Signature algorithm used",
"examples": ["ECDSA-P256-SHA256", "RSA-PSS-SHA256", "Ed25519", "GOST3410-2012-256", "SM2"]
},
"provider": {
"type": "string",
"description": "Crypto provider or signer identity",
"examples": ["StellaOps", "Sigstore-Fulcio", "FIPS-HSM", "CryptoPro-CSP"]
},
"signedAt": {
"$ref": "#/$defs/iso8601DateTime"
},
"timestampedAt": {
"oneOf": [
{ "$ref": "#/$defs/iso8601DateTime" },
{ "type": "null" }
],
"description": "RFC3161 timestamp authority response time (if timestamped)"
},
"timestampAuthority": {
"type": ["string", "null"],
"description": "RFC3161 TSA URL or identifier",
"examples": ["https://freetsa.org/tsr", "https://timestamp.digicert.com"]
},
"timestampToken": {
"type": ["string", "null"],
"contentEncoding": "base64",
"description": "Base64-encoded RFC3161 timestamp token (if timestamped)"
}
},
"additionalProperties": false
},
"bundleMetadataDocument": {
"type": "object",
"title": "Bundle Metadata",
"description": "The bundle.json file embedded in the bundle package, containing top-level bundle metadata",
"required": ["bundleId", "tenantId", "kind", "status", "rootHash", "storageKey", "createdAt"],
"properties": {
"bundleId": {
"$ref": "#/$defs/uuid"
},
"tenantId": {
"$ref": "#/$defs/uuid"
},
"kind": {
"$ref": "#/$defs/bundleKind"
},
"status": {
"$ref": "#/$defs/bundleStatus"
},
"rootHash": {
"$ref": "#/$defs/sha256Hash",
"description": "Merkle tree root hash computed from manifest entries"
},
"storageKey": {
"type": "string",
"description": "Storage location key for the sealed bundle",
"minLength": 1
},
"createdAt": {
"$ref": "#/$defs/iso8601DateTime"
},
"sealedAt": {
"oneOf": [
{ "$ref": "#/$defs/iso8601DateTime" },
{ "type": "null" }
],
"description": "Timestamp when the bundle was sealed"
}
},
"additionalProperties": false
},
"checksumsFile": {
"type": "object",
"title": "Checksums File Format",
"description": "Structure of the checksums.txt file (human-readable SHA-256 verification list)",
"properties": {
"format": {
"type": "string",
"const": "sha256",
"description": "Hash algorithm used (always SHA-256)"
},
"rootHash": {
"$ref": "#/$defs/sha256Hash",
"description": "Merkle root hash for the bundle"
},
"entries": {
"type": "array",
"items": {
"type": "object",
"required": ["sha256", "path"],
"properties": {
"sha256": { "$ref": "#/$defs/sha256Hash" },
"path": { "type": "string" }
}
},
"description": "List of file checksums in 'sha256 path' format"
}
}
}
},
"properties": {
"bundleArchive": {
"type": "object",
"title": "Bundle Archive Structure",
"description": "The .tgz (gzip-compressed tar) archive structure",
"required": ["format", "compression", "deterministic", "contents"],
"properties": {
"format": {
"type": "string",
"const": "tar",
"description": "Archive format (PAX tar)"
},
"compression": {
"type": "string",
"const": "gzip",
"description": "Compression algorithm"
},
"deterministic": {
"type": "boolean",
"const": true,
"description": "Bundle is deterministic (fixed timestamps, sorted entries)"
},
"fixedTimestamp": {
"type": "string",
"const": "2025-01-01T00:00:00Z",
"description": "Fixed timestamp used for deterministic output"
},
"contents": {
"type": "object",
"title": "Archive Contents",
"description": "Files contained in the bundle archive",
"required": ["manifest.json", "signature.json", "bundle.json", "checksums.txt", "instructions.txt"],
"properties": {
"manifest.json": {
"$ref": "#/$defs/manifestDocument"
},
"signature.json": {
"$ref": "#/$defs/signatureDocument"
},
"bundle.json": {
"$ref": "#/$defs/bundleMetadataDocument"
},
"checksums.txt": {
"type": "string",
"description": "Human-readable checksums file in 'sha256 path' format"
},
"instructions.txt": {
"type": "string",
"description": "Human-readable verification instructions"
}
},
"additionalProperties": false
}
},
"additionalProperties": false
}
},
"additionalProperties": false,
"examples": [
{
"bundleArchive": {
"format": "tar",
"compression": "gzip",
"deterministic": true,
"fixedTimestamp": "2025-01-01T00:00:00Z",
"contents": {
"manifest.json": {
"bundleId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"tenantId": "00000000-0000-0000-0000-000000000001",
"kind": 2,
"createdAt": "2025-12-07T10:30:00Z",
"metadata": {
"source": "scanner-job-123",
"target": "registry.example.com/app:v1.2.3"
},
"entries": [
{
"section": "sbom",
"canonicalPath": "sbom/cyclonedx.json",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"sizeBytes": 15234,
"mediaType": "application/vnd.cyclonedx+json",
"attributes": {
"specVersion": "1.6",
"format": "json"
}
},
{
"section": "attestation",
"canonicalPath": "attestation/provenance.dsse",
"sha256": "a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456",
"sizeBytes": 4096,
"mediaType": "application/vnd.in-toto+dsse"
}
]
},
"signature.json": {
"payloadType": "application/vnd.stellaops.evidence-bundle.manifest+json",
"payload": "eyJidW5kbGVJZCI6ImExYjJjM2Q0LWU1ZjYtNzg5MC1hYmNkLWVmMTIzNDU2Nzg5MCIsLi4ufQ==",
"signature": "MEUCIQDx...",
"keyId": "sha256:abc123...",
"algorithm": "ECDSA-P256-SHA256",
"provider": "StellaOps",
"signedAt": "2025-12-07T10:30:05Z",
"timestampedAt": "2025-12-07T10:30:06Z",
"timestampAuthority": "https://freetsa.org/tsr",
"timestampToken": "MIIEpgYJKo..."
},
"bundle.json": {
"bundleId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"tenantId": "00000000-0000-0000-0000-000000000001",
"kind": 2,
"status": 3,
"rootHash": "f4d8e9c7b6a5432109876543210fedcba9876543210fedcba9876543210fedc",
"storageKey": "evidence/00000000-0000-0000-0000-000000000001/a1b2c3d4-e5f6-7890-abcd-ef1234567890/bundle.tgz",
"createdAt": "2025-12-07T10:30:00Z",
"sealedAt": "2025-12-07T10:30:05Z"
},
"checksums.txt": "# Evidence bundle checksums (sha256)\nroot f4d8e9c7b6a5432109876543210fedcba9876543210fedcba9876543210fedc\ne3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 sbom/cyclonedx.json\na1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456 attestation/provenance.dsse\n",
"instructions.txt": "Evidence Bundle Instructions\n============================\nBundle ID: a1b2c3d4-e5f6-7890-abcd-ef1234567890\n..."
}
}
}
]
}

58
docs/modules/mirror/dsse-revision-decision.md Normal file
View File

@@ -0,0 +1,58 @@
# DSSE Revision Decision
**Decision ID:** DECISION-MIRROR-001
**Status:** DEFAULT-APPROVED
**Effective Date:** 2025-12-06
**48h Window Started:** 2025-12-06T00:00:00Z
## Decision
The Mirror bundle DSSE envelope format follows the **in-toto v1.0** specification with StellaOps extensions for offline verification.
## Rationale
1. in-toto v1.0 is the industry standard for software supply chain attestations
2. DSSE (Dead Simple Signing Envelope) provides a clean JSON wrapper
3. Existing tooling (`cosign`, `rekor`) supports this format
4. Aligns with Evidence Locker DSSE patterns already implemented
## Specification
```json
{
"payloadType": "application/vnd.in-toto+json",
"payload": "<base64-encoded-in-toto-statement>",
"signatures": [
{
"keyid": "<key-id>",
"sig": "<base64-signature>"
}
]
}
```
### StellaOps Extensions
- `_stellaops.revision`: Bundle revision number
- `_stellaops.timestamp`: ISO-8601 UTC timestamp
- `_stellaops.merkleRoot`: SHA-256 Merkle root of bundle contents
## Impact
- Tasks unblocked: ~5
- Sprint files affected: SPRINT_0150_mirror_dsse
## Reversibility
To change the DSSE format:
1. Propose new format in `docs/modules/mirror/dsse-proposal.md`
2. Get Security Guild sign-off
3. Update all affected sprint files
4. Ensure backward compatibility for existing bundles
## References
- [in-toto Specification](https://in-toto.io/)
- [DSSE Specification](https://github.com/secure-systems-lab/dsse)
- [Mirror Signing Runbook](./signing-runbook.md)
- [DSSE TUF Profile](./dsse-tuf-profile.md)

54
docs/modules/scanner/php-analyzer-owner-manifest.md Normal file
View File

@@ -0,0 +1,54 @@
# PHP Analyzer Owner Manifest
**Decision ID:** OWNER-SCANNER-PHP-001
**Status:** ASSIGNED
**Effective Date:** 2025-12-06
## Assignment
The **PHP Language Analyzer** component is owned by the **Scanner Guild** for implementation purposes.
## Rationale
1. PHP analyzer follows the same patterns as existing language analyzers (Bun, Node, Python)
2. Scanner Guild owns all language analyzers under `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.*`
3. PHP ecosystem knowledge exists within the Scanner Guild
4. Composer lockfile parsing is well-documented with existing test fixtures
## Scope
The Scanner Guild is responsible for:
- `StellaOps.Scanner.Analyzers.Lang.Php` library implementation
- Composer lockfile (`composer.lock`) parsing
- PHP package version resolution
- Integration with Scanner engine via `ILanguageAnalyzer` interface
- Test fixtures under `src/Scanner/__Tests/...Php.Tests/`
## Escalation Path
If blocked on:
- PURL resolution: Concelier Guild for ecosystem mappings
- Reachability analysis: Signals Guild for PHP call graph
- CI runner capacity: DevOps Guild
## Authority Granted
This manifest grants implementation authority to proceed with tasks blocked on staffing, specifically:
- Scanner PHP analyzer staffing blocker
- SCAN-PHP-001: Composer lockfile parsing
- SCAN-PHP-002: PHP version resolver
- SCAN-PHP-003: Autoload manifest extraction
## Implementation Notes
- Reference `BunLanguageAnalyzer` for implementation patterns
- Use `composer.lock` JSON schema from Packagist documentation
- PURL namespace: `pkg:composer/vendor/package@version`
- Handle platform requirements (`php`, `ext-*`) separately
## Priority
- **Phase 1:** Composer lockfile parsing (MVP)
- **Phase 2:** Autoload analysis for reachability
- **Phase 3:** Framework-specific patterns (Laravel, Symfony)

46
docs/modules/vex-lens/issuer-directory-owner-manifest.md Normal file
View File

@@ -0,0 +1,46 @@
# Issuer Directory Owner Manifest
**Decision ID:** OWNER-VEXLENS-001
**Status:** ASSIGNED
**Effective Date:** 2025-12-06
## Assignment
The **Issuer Directory Postgres backend** component is owned by the **VEX Lens Guild** for implementation purposes.
## Rationale
1. The Issuer Directory is a core VEX Lens subsystem defined in `src/VexLens/StellaOps.VexLens/Verification/`
2. VEX Lens Guild has domain expertise in VEX trust models and issuer verification
3. Postgres storage patterns are consistent with existing VEX Lens persistence layer
4. No external guild has claimed ownership despite repeated requests
## Scope
The VEX Lens Guild is responsible for:
- `IIssuerDirectory` implementation with Postgres backend
- Issuer CRUD operations and trust level management
- Integration with `SignatureVerifier` for issuer-based verification
- Schema migrations for issuer tables
- Observability (metrics, logging) for issuer operations
## Escalation Path
If blocked on infrastructure or cross-cutting concerns:
1. Platform DB Guild for Postgres operator issues
2. Security Guild for key management integration
3. Steering Committee for resource allocation
## Authority Granted
This manifest grants implementation authority to proceed with tasks blocked on staffing, specifically:
- SPRINT_3409: Issuer Directory Postgres staffing blocker
- VEX-30-003: Issuer Directory API implementation
- VEX-30-004: Policy integration for issuer trust
## Implementation Notes
- Use existing `InMemoryIssuerDirectory` as reference implementation
- Follow storage patterns from `src/VexLens/StellaOps.VexLens/Storage/`
- Apply RLS patterns from Findings Ledger for multi-tenancy

58
docs/modules/zastava/surface-env-owner-manifest.md Normal file
View File

@@ -0,0 +1,58 @@
# Surface.Env Owner Manifest
**Decision ID:** OWNER-ZASTAVA-ENV-001
**Status:** ASSIGNED
**Effective Date:** 2025-12-06
## Assignment
The **Surface.Env** component (environment variable surface detection) is owned by the **Zastava Guild** for implementation purposes.
## Rationale
1. Surface.Env is defined in Zastava's architecture at `docs/modules/zastava/architecture.md`
2. Zastava Guild owns all runtime surface detection components
3. Environment variable analysis is critical for secret detection
4. Existing Zastava evidence/kit structure supports this component
## Scope
The Zastava Guild is responsible for:
- Environment variable surface enumeration
- Secret pattern detection in env vars
- Integration with Evidence Locker for env attestation
- Threshold enforcement per `thresholds.yaml`
- CLI surface output for `stella zastava env`
## Escalation Path
If blocked on:
- Schema definitions: Evidence Locker Guild
- CLI integration: CLI Guild
- Secret detection patterns: Security Guild
## Authority Granted
This manifest grants implementation authority to proceed with tasks blocked on ownership, specifically:
- Surface.Env Owner blocker (OVERDUE)
- ZASTAVA-ENV-001: Environment surface implementation
- ZASTAVA-ENV-002: Secret pattern integration
## Implementation Notes
Reference existing schemas:
- `docs/modules/zastava/schemas/` for evidence format
- `docs/modules/zastava/kit/` for kit bundle structure
- `thresholds.yaml` for detection thresholds
Key patterns:
- `^[A-Z_]+(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL)` → high severity
- `^AWS_`, `^AZURE_`, `^GCP_` → cloud credential
- Base64-encoded values > 32 chars → potential secret
## Timeline
- **Immediate:** Unblock dependent tasks
- **Sprint 0144:** Core implementation
- **Sprint 0145:** Integration testing