feat: Add DigestUpsertRequest and LockEntity models
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil. - Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt. feat: Implement ILockRepository interface and LockRepository class - Defined ILockRepository interface with methods for acquiring and releasing locks. - Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations. feat: Add SurfaceManifestPointer record for manifest pointers - Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest. feat: Create PolicySimulationInputLock and related validation logic - Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests. - Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements. test: Add unit tests for ReplayVerificationService and ReplayVerifier - Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios. - Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic. test: Implement PolicySimulationInputLockValidatorTests - Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions. chore: Add cosign key example and signing scripts - Included a placeholder cosign key example for development purposes. - Added a script for signing Signals artifacts using cosign with support for both v2 and v3. chore: Create script for uploading evidence to the evidence locker - Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
This commit is contained in:
StellaOps Bot
70
docs/modules/scanner/design/standards-convergence-roadmap.md
Normal file
70
docs/modules/scanner/design/standards-convergence-roadmap.md
Normal file
@@ -0,0 +1,70 @@
|
||||
# Scanner Standards Convergence Roadmap (SC1)
|
||||
|
||||
## Purpose
|
||||
Define the concrete steps for adopting CVSS v4.0, CycloneDX 1.7 (incl. CBOM), and SLSA 1.2 across Scanner surfaces while keeping outputs deterministic and downgrade-friendly.
|
||||
|
||||
## Scope
|
||||
- Scanner WebService + Worker + Replay bundles.
|
||||
- Surface contracts, CLI outputs, and CAS artifacts.
|
||||
- Downgrade adapters to CVSS v3.1, CDX 1.6, SLSA 1.0 (see SC4).
|
||||
|
||||
## Deliverables (tie to SC tasks)
|
||||
- SC1: Roadmap with milestones, owners, and schema bump governance.
|
||||
- SC2: Deterministic CDX 1.7 + CBOM contract (fields, ordering, evidence citations).
|
||||
- SC3: SLSA Source Track capture fields for replay bundles (build-id, repo refs, provenance hooks).
|
||||
- SC4: Mapping tables for downgrade adapters; deterministic mapping rules and hashes.
|
||||
- SC5/SC8: Fixture set + determinism CI (stable ordering, seeded RNG, golden hashes).
|
||||
- SC6: Binary ↔ source evidence alignment requirements (build-id, symbols, patch oracle) feeding policy/VEX.
|
||||
- SC7: API/UI surfacing contract (filters, columns, pagination defaults) with deterministic ordering.
|
||||
- SC9: Governance/RACI for schema bumps and adapter tables.
|
||||
- SC10: Offline-kit parity: DSSE-signed schemas/mappings/fixtures, frozen bundle.
|
||||
|
||||
## Contracts & owners (v0.1)
|
||||
- Schema leads: Scanner Guild (CDX 1.7/CBOM), Sbomer Guild (mapping), Policy Guild (severity/vectors), Ops Guild (offline kit).
|
||||
- Canonical CDX 1.7/CBOM fields (min set):
|
||||
- `metadata/component` (purl, hashes, evidence refs),
|
||||
- `services` with CBOM channels (ingress/egress),
|
||||
- `vulnerabilities[*].ratings[]` must carry CVSS v4 and v3.1 side-by-side; deterministic order: v4 first, then v3.1.
|
||||
- Evidence citations: `properties["evidence:source"]`, `properties["evidence:proof-id"]`, `properties["evidence:hash"]`.
|
||||
- SLSA Source Track (SC3):
|
||||
- replay bundle fields: `source.repo`, `source.ref`, `build.id`, `build.invocation.hash`, `provenance.dsse` (hash), all required.
|
||||
- Deterministic ordering rules (apply across SC2/SC5/SC8):
|
||||
- sort components by `purl`, ties by `name`, then `version` (ordinal, case-insensitive);
|
||||
- vulnerabilities sorted by `id`, then `source`, then severity score desc;
|
||||
- timestamps UTC ISO-8601 without sub-ms; decimal rounding 4dp for ratios, 2dp for scores.
|
||||
- Adapter tables (SC4): mapping CSVs checked in under `docs/modules/scanner/fixtures/adapters/` with BLAKE3 + SHA256 hashes; adapters are pure, no net.
|
||||
|
||||
## Fixtures (SC5/SC8)
|
||||
- Add to `docs/modules/scanner/fixtures/cdx17-cbom/`:
|
||||
- `sample-cdx17-cbom.json` (golden), `sample-cdx16-downgraded.json`, `hashes.txt` (BLAKE3, SHA256).
|
||||
- Include CBOM ingress/egress example, CVSS v4 vector, SLSA Source Track fields, evidence properties.
|
||||
- CI step: `dotnet test` hook runs deterministic serializer + hash assertion; env `DOTNET_DISABLE_BUILTIN_GRAPH=1`, fixed `TZ=UTC`, `LC_ALL=C`.
|
||||
|
||||
## Governance (SC1/SC9)
|
||||
- Propose RACI: Product (A), Scanner TL (R), Sbomer TL (C), Policy TL (C), Ops (I).
|
||||
- Schema bump flow: draft → review → freeze → DSSE-sign schemas + fixtures → publish hash list → lock downgrade adapters.
|
||||
- Downgrade adapters cannot ship without approved mapping CSV + updated hashes.
|
||||
|
||||
## Offline (SC10)
|
||||
- Offline kit must include: schemas, adapter CSVs, fixtures, hash list, DSSE envelope, tool versions (Syft/Trivy pinned) and their hashes.
|
||||
- Bundle path: `out/offline/scanner-standards-kit-v1/`. DSSE envelope references manifest with all hashes.
|
||||
|
||||
## Milestones (proposed)
|
||||
1) Schema draft freeze (CDX 1.7/CBOM + CVSS v4 fields) — owners: Scanner Guild, due T+5d.
|
||||
2) Replay bundle field list for Source Track — owners: Scanner + Sbomer, due T+7d.
|
||||
3) Determinism harness upgrade (CI + fixtures) — owners: QA + Scanner, due T+10d.
|
||||
4) Downgrade adapter tables + hash tests — owners: Scanner, due T+12d.
|
||||
5) Offline-kit bundle update & DSSE signing — owners: Ops, due T+14d.
|
||||
|
||||
## Determinism & Offline requirements
|
||||
- Stable field ordering, culture-invariant formatting, UTC ISO-8601 timestamps.
|
||||
- No network calls during conversion/adapters; fixed seeds for any RNG.
|
||||
- All schemas/adapters/fixtures shipped in offline kit with DSSE envelope and recorded hashes.
|
||||
|
||||
## Open Items
|
||||
- Confirm CBOM section subset required for policy engine (ingredients vs evidence-only).
|
||||
- Decide default CVSS v4 vector precision and rounding rules.
|
||||
|
||||
## Links
|
||||
- Sprint: `docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md` (tasks SC1–SC10)
|
||||
- Advisory: `docs/product-advisories/31-Nov-2025 FINDINGS.md`
|
||||
Reference in New Issue
Block a user