product advisories update
This commit is contained in:
master
@@ -0,0 +1,227 @@
|
||||
# ADVISORY_20251229: SBOM Lineage Graph & Testing Infrastructure
|
||||
|
||||
## Advisory Classification
|
||||
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| **Advisory ID** | ADVISORY_20251229_SBOM_LINEAGE_AND_TESTING |
|
||||
| **Date** | 2025-12-29 |
|
||||
| **Priority** | HIGH |
|
||||
| **Verdict** | **PROCEED** - High value, aligns with Stella Ops vision |
|
||||
| **Existing Coverage** | ~70% architecturally designed, ~20% implemented |
|
||||
|
||||
## Executive Summary
|
||||
|
||||
The advisory proposes:
|
||||
1. **SBOM Lineage Graph** - Git-like visualization with hover-to-proof UX
|
||||
2. **Testing Infrastructure** - Fixture harvesting, golden tests, determinism verification
|
||||
3. **Backport Detection Algorithm** - Fix rules model with distro-specific extractors
|
||||
4. **VEX Lattice Tests** - Truth table verification for merge correctness
|
||||
5. **Scheduler Resilience** - Chaos and load tests
|
||||
6. **E2E Replayable Verdict** - Full pipeline replay verification
|
||||
|
||||
**Verdict:** These proposals are **highly aligned** with Stella Ops' core differentiators:
|
||||
- **Determinism** (reproducible vulnerability assessments)
|
||||
- **Offline-first** (air-gapped operation)
|
||||
- **VEX-first decisioning** (lattice-based consensus)
|
||||
- **Explainability** (proof chains and evidence)
|
||||
|
||||
Most of the **architecture already exists** in documentation. The gap is **implementation and test coverage**.
|
||||
|
||||
---
|
||||
|
||||
## Gap Analysis Summary
|
||||
|
||||
| Feature | Architecture | Implementation | Tests | Recommendation |
|
||||
|---------|--------------|----------------|-------|----------------|
|
||||
| SBOM Lineage Graph | 100% | 20% | 0% | **Proceed with existing sprints** |
|
||||
| Testing Infrastructure | 70% | 40% | N/A | **Create FixtureHarvester** |
|
||||
| Backport Status Service | 50% | 30% | 10% | **Formalize algorithm** |
|
||||
| VEX Lattice Truth Tables | 100% | 60% | 10% | **Add systematic tests** |
|
||||
| Scheduler Resilience | 80% | 70% | 20% | **Add chaos tests** |
|
||||
| E2E Replayable Verdict | 90% | 40% | 5% | **Wire components** |
|
||||
|
||||
---
|
||||
|
||||
## Existing Infrastructure (Already in Stella Ops)
|
||||
|
||||
### 1. SBOM Lineage Architecture (docs/modules/sbomservice/lineage/)
|
||||
|
||||
**Status:** FULLY DESIGNED, NOT IMPLEMENTED
|
||||
|
||||
- `IOciAncestryExtractor` - Extract base image refs from OCI config
|
||||
- `ISbomLineageEdgeRepository` - Persist DAG edges (parent, build, base)
|
||||
- `IVexDeltaRepository` - Track status transitions
|
||||
- `ISbomVerdictLinkRepository` - Link SBOM versions to VEX consensus
|
||||
- `ILineageGraphService` - Query and diff lineage
|
||||
- Database schema for `sbom_lineage_edges`, `vex_deltas`, `sbom_verdict_links`
|
||||
- API endpoints: `GET /lineage/{digest}`, `GET /lineage/diff`, `POST /lineage/export`
|
||||
|
||||
### 2. Testing Infrastructure (src/__Tests/)
|
||||
|
||||
**Status:** PARTIAL INFRASTRUCTURE EXISTS
|
||||
|
||||
- `StellaOps.Testing.Determinism/` with `DeterminismVerifier`
|
||||
- `StellaOps.Testing.AirGap/` with `NetworkIsolatedTestBase`
|
||||
- `__Benchmarks/golden-corpus/` for canonical test cases
|
||||
- `__Datasets/` for ground truth samples
|
||||
- Standardized test categories (Unit, Integration, Determinism, AirGap, Chaos)
|
||||
|
||||
**Gap:** No `FixtureHarvester` tool, no per-fixture `meta.json` manifests
|
||||
|
||||
### 3. Feedser Evidence Collection (src/Feedser/)
|
||||
|
||||
**Status:** LIBRARY EXISTS
|
||||
|
||||
- `HunkSigExtractor` for patch signature extraction
|
||||
- `BinaryFingerprintFactory` with TLSH and instruction hash fingerprinters
|
||||
- Four-tier evidence model (Tier 1-4 confidence levels)
|
||||
- Consumed by Concelier `ProofService`
|
||||
|
||||
### 4. VexLens Consensus (src/VexLens/)
|
||||
|
||||
**Status:** CORE ENGINE EXISTS
|
||||
|
||||
- Lattice states: `unknown < under_investigation < not_affected | affected < fixed`
|
||||
- `VexConsensusEngine` for merge computation
|
||||
- `OpenVexNormalizer` and `CsafVexNormalizer`
|
||||
- Conflict tracking with detailed arrays
|
||||
- Trust tier provenance from Excititor connectors
|
||||
|
||||
**Gap:** No systematic truth table tests
|
||||
|
||||
### 5. Replay Infrastructure (src/Replay/)
|
||||
|
||||
**Status:** MODELS AND SERVICE DESIGNED
|
||||
|
||||
- `ReplayManifest` v1/v2 schema
|
||||
- `ReplayToken` generation and verification
|
||||
- `PolicySimulationInputLock` for pinning
|
||||
- Scanner `RecordModeService` for bundle capture
|
||||
|
||||
**Gap:** No `VerdictBuilder` orchestration service (Sprint CGS-001)
|
||||
|
||||
### 6. Concelier Advisory Ingestion (src/Concelier/)
|
||||
|
||||
**Status:** PRODUCTION READY
|
||||
|
||||
- Link-Not-Merge architecture
|
||||
- Multiple connectors: CSAF (Red Hat, SUSE, Ubuntu, Oracle, Microsoft), OSV, GHSA
|
||||
- Version range normalization (EVR, dpkg, apk, semver)
|
||||
- Conflict detection in linksets
|
||||
|
||||
---
|
||||
|
||||
## Recommended Sprint Batch
|
||||
|
||||
Based on the gap analysis, the following sprints have been created:
|
||||
|
||||
### Batch 001 (Already Exists)
|
||||
|
||||
| Sprint | Topic | Status |
|
||||
|--------|-------|--------|
|
||||
| `SPRINT_20251229_001_001_BE_cgs_infrastructure` | Verdict Builder (CGS) | TODO |
|
||||
| `SPRINT_20251229_001_002_BE_vex_delta` | VEX Delta Persistence | TODO |
|
||||
| `SPRINT_20251229_001_003_FE_lineage_graph` | Lineage Visualization | TODO |
|
||||
|
||||
### Batch 004 (New - From This Advisory)
|
||||
|
||||
| Sprint | Topic | Tasks |
|
||||
|--------|-------|-------|
|
||||
| `SPRINT_20251229_004_001_LIB_fixture_harvester` | FixtureHarvester Tool | 10 tasks |
|
||||
| `SPRINT_20251229_004_002_BE_backport_status_service` | Backport Status Retrieval | 11 tasks |
|
||||
| `SPRINT_20251229_004_003_BE_vexlens_truth_tables` | VexLens Truth Table Tests | 9 tasks |
|
||||
| `SPRINT_20251229_004_004_BE_scheduler_resilience` | Scheduler Chaos Tests | 8 tasks |
|
||||
| `SPRINT_20251229_004_005_E2E_replayable_verdict` | E2E Replay Tests | 8 tasks |
|
||||
|
||||
---
|
||||
|
||||
## Priority Ranking
|
||||
|
||||
### P0 - Critical Path (Blocks Other Work)
|
||||
|
||||
1. **Batch 001** - CGS infrastructure and VEX delta persistence
|
||||
- Required for lineage graph and replay features
|
||||
- Existing sprints, well-defined tasks
|
||||
|
||||
2. **SPRINT_20251229_004_003_BE_vexlens_truth_tables**
|
||||
- VexLens is core to the platform; truth tables validate correctness
|
||||
- Low effort, high confidence gain
|
||||
|
||||
### P1 - High Value
|
||||
|
||||
3. **SPRINT_20251229_004_005_E2E_replayable_verdict**
|
||||
- E2E tests catch integration issues early
|
||||
- Validates the core "deterministic reproducibility" claim
|
||||
|
||||
4. **SPRINT_20251229_004_001_LIB_fixture_harvester**
|
||||
- Enables systematic fixture management
|
||||
- Supports all test categories
|
||||
|
||||
### P2 - Important
|
||||
|
||||
5. **SPRINT_20251229_004_002_BE_backport_status_service**
|
||||
- Reduces false positives for distro packages
|
||||
- Requires distro-specific extractors (effort)
|
||||
|
||||
6. **SPRINT_20251229_004_004_BE_scheduler_resilience**
|
||||
- Chaos tests for production readiness
|
||||
- Can be parallelized with other work
|
||||
|
||||
---
|
||||
|
||||
## Alignment with Stella Ops Vision
|
||||
|
||||
| Advisory Proposal | Stella Ops Principle | Alignment |
|
||||
|-------------------|---------------------|-----------|
|
||||
| SBOM Lineage Graph | Explainability | HIGH - "proof into explorable UX" |
|
||||
| Hover-to-proof | Evidence-first | HIGH - every claim has evidence |
|
||||
| Golden fixtures | Determinism | HIGH - byte-identical outputs |
|
||||
| Replay bundles | Offline-first | HIGH - air-gap verification |
|
||||
| Backport detection | Distro-aware | HIGH - reduces false positives |
|
||||
| Lattice truth tables | VEX-first decisioning | HIGH - validates core algorithm |
|
||||
| Chaos tests | Production readiness | MEDIUM - operational quality |
|
||||
|
||||
---
|
||||
|
||||
## What NOT to Implement
|
||||
|
||||
The advisory proposes some elements that **already exist** or are **out of scope**:
|
||||
|
||||
1. **Determinism harness** - Already exists as `StellaOps.Testing.Determinism/`
|
||||
2. **Canonical JSON** - Already implemented across the codebase
|
||||
3. **Feed parsers** - Concelier connectors already parse NVD/GHSA/OSV
|
||||
4. **Merge algorithm** - VexLens already implements the lattice
|
||||
|
||||
---
|
||||
|
||||
## Success Metrics
|
||||
|
||||
After implementing the recommended sprints:
|
||||
|
||||
| Metric | Target |
|
||||
|--------|--------|
|
||||
| VexLens truth table coverage | 100% of merge scenarios |
|
||||
| SBOM lineage API availability | Production |
|
||||
| E2E replay verification | Pass on 3 platforms (Ubuntu, Alpine, Debian) |
|
||||
| Scheduler chaos test coverage | Crash recovery, backpressure, idempotency |
|
||||
| Fixture manifest coverage | All test fixtures have `meta.json` |
|
||||
| Backport detection accuracy | >90% on Debian/Alpine packages |
|
||||
|
||||
---
|
||||
|
||||
## Related Documentation
|
||||
|
||||
- `docs/modules/sbomservice/lineage/architecture.md`
|
||||
- `docs/modules/vex-lens/architecture.md`
|
||||
- `docs/modules/feedser/architecture.md`
|
||||
- `docs/modules/replay/architecture.md`
|
||||
- `src/__Tests/AGENTS.md`
|
||||
|
||||
## Created Sprints
|
||||
|
||||
- `docs/implplan/SPRINT_20251229_004_001_LIB_fixture_harvester.md`
|
||||
- `docs/implplan/SPRINT_20251229_004_002_BE_backport_status_service.md`
|
||||
- `docs/implplan/SPRINT_20251229_004_003_BE_vexlens_truth_tables.md`
|
||||
- `docs/implplan/SPRINT_20251229_004_004_BE_scheduler_resilience.md`
|
||||
- `docs/implplan/SPRINT_20251229_004_005_E2E_replayable_verdict.md`
|
||||
Reference in New Issue
Block a user