Remove global.json and add extensive documentation for SBOM-first supply chain spine, diff-aware releases, binary intelligence graph, reachability proofs, smart-diff evidence, risk budget visualization, and weighted confidence for VEX sources. Introduce solution file for Concelier web service project.
This commit is contained in:
StellaOps Bot
@@ -0,0 +1,61 @@
|
||||
Here’s a tight, practical pattern you can lift for Stella Ops: **make exceptions first‑class, auditable objects** and **gate releases on risk deltas (diff‑aware checks)**—mirroring what top scanners do, but with stronger evidence and auto‑revalidation.
|
||||
|
||||
### 1) Exceptions as auditable objects
|
||||
|
||||
Competitor cues
|
||||
|
||||
* **Snyk** lets users ignore issues with a required reason and optional expiry (UI/CLI; `.snyk` policy). Ignored items can auto‑resurface when a fix exists. ([Snyk User Docs][1])
|
||||
* **Anchore** models **policy allowlists** (named sets of exceptions) applied during evaluation/mapping. ([Anchore Documentation][2])
|
||||
* **Prisma Cloud** supports vulnerability rules/CVE exceptions to soften or block findings. ([Prisma Cloud][3])
|
||||
|
||||
What to ship (Stella Ops)
|
||||
|
||||
* **Exception entity**: `{scope, subject(CVE/pkg/path), reason(text), evidenceRefs[], createdBy, createdAt, expiresAt?, policyBinding, signature}`
|
||||
* **Signed rationale + evidence**: require a justification plus **linked proofs** (attestation IDs, VEX note, reachability subgraph slice). Store as an **OCI‑attached attestation** to the SBOM/VEX artifact.
|
||||
* **Auto‑expiry & revalidation gates**: scheduler re‑tests on expiry or when feeds mark “fix available / EPSS ↑ / reachability ↑”; on failure, **flip gate to “needs re‑review”** and notify.
|
||||
* **Audit view**: timeline of exception lifecycle; show who/why, evidence, and re‑checks; exportable as an “audit pack.”
|
||||
* **Policy hooks**: “allow only if: reason ∧ evidence present ∧ max TTL ≤ X ∧ owner = team‑Y.”
|
||||
* **Inheritance**: repo→image→env scoping with explicit shadowing (surface conflicts).
|
||||
|
||||
### 2) Diff‑aware release gates (“delta verdicts”)
|
||||
|
||||
Competitor cues
|
||||
|
||||
* **Snyk PR Checks** scan *changes* and gate merges with a severity threshold; results show issue diffs per PR. ([Snyk User Docs][4])
|
||||
|
||||
What to ship (Stella Ops)
|
||||
|
||||
* **Graph deltas**: on each commit/image, compute `Δ(SBOM graph, reachability graph, VEX claims)`.
|
||||
* **Delta verdict** (signed, replayable): `PASS | WARN | FAIL` + **proof links** to:
|
||||
|
||||
* attestation bundle (in‑toto/DSSE),
|
||||
* **reachability subgraph** showing new execution paths to vulnerable symbols,
|
||||
* policy evaluation trace.
|
||||
* **Side‑by‑side UI**: “before vs after” risks; highlight *newly reachable* vulns and *fixed/mitigated* ones; one‑click **Create Exception** (enforces reason+evidence+TTL).
|
||||
* **Enforcement knobs**: per‑branch/env risk budgets; fail if `unknowns > N` or if any exception lacks evidence/TTL.
|
||||
* **Supply chain scope**: run the same gate on base‑image bumps and dependency updates.
|
||||
|
||||
### Minimal data model (sketch)
|
||||
|
||||
* `Exception`: id, scope, subject, reason, evidenceRefs[], ttl, status, sig.
|
||||
* `DeltaVerdict`: id, baseRef, headRef, changes[], policyOutcome, proofs[], sig.
|
||||
* `Proof`: type(`attestation|reachability|vex|log`), uri, hash.
|
||||
|
||||
### CLI / API ergonomics (examples)
|
||||
|
||||
* `stella exception create --cve CVE-2025-1234 --scope image:repo/app:tag --reason "Feature disabled" --evidence att:sha256:… --ttl 30d`
|
||||
* `stella verify delta --from abc123 --to def456 --policy prod.json --print-proofs`
|
||||
|
||||
### Guardrails out of the box
|
||||
|
||||
* **No silent ignores**: exceptions are visible in results (action changes, not deletion)—same spirit as Anchore. ([Anchore Documentation][2])
|
||||
* **Resurface on fix**: if a fix exists, force re‑review (parity with Snyk behavior). ([Snyk User Docs][1])
|
||||
* **Rule‑based blocking**: allow “hard/soft fail” like Prisma enforcement. ([Prisma Cloud][5])
|
||||
|
||||
If you want, I can turn this into a short product spec (API + UI wireframe + policy snippets) tailored to your Stella Ops modules (Policy Engine, Vexer, Attestor).
|
||||
|
||||
[1]: https://docs.snyk.io/manage-risk/prioritize-issues-for-fixing/ignore-issues?utm_source=chatgpt.com "Ignore issues | Snyk User Docs"
|
||||
[2]: https://docs.anchore.com/current/docs/overview/concepts/policy/policies/?utm_source=chatgpt.com "Policies and Evaluation"
|
||||
[3]: https://docs.prismacloud.io/en/compute-edition/22-12/admin-guide/vulnerability-management/configure-vuln-management-rules?utm_source=chatgpt.com "Vulnerability management rules - Prisma Cloud Documentation"
|
||||
[4]: https://docs.snyk.io/scan-with-snyk/pull-requests/pull-request-checks?utm_source=chatgpt.com "Pull Request checks | Snyk User Docs"
|
||||
[5]: https://docs.prismacloud.io/en/enterprise-edition/content-collections/application-security/risk-management/monitor-and-manage-code-build/enforcement?utm_source=chatgpt.com "Enforcement - Prisma Cloud Documentation"
|
||||
Reference in New Issue
Block a user