stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
docs/features/checked/scanner/derivative-distro-mapping-for-backport-detection.md Normal file
View File

@@ -0,0 +1,43 @@
# Derivative Distro Mapping for Backport Detection
## Module
Scanner
## Status
VERIFIED
## Description
Cross-distro OVAL/CSAF mapping that enables fetching backport rules from derivative distros (RHEL->Alma/Rocky/CentOS, Ubuntu->LinuxMint/Pop!_OS, Debian->Ubuntu) with confidence penalty multipliers (0.95x for same-major, 0.80x for cross-family).
## Implementation Details
- **Pedigree & Backport Evidence**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/FeedserPedigreeDataProvider.cs` - Provides pedigree data with cross-distro backport rules
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/CycloneDxPedigreeMapper.cs` - Maps pedigree data including derivative distro mappings
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/PatchInfoBuilder.cs` - Builds patch info with backport detection data
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/PedigreeNotesGenerator.cs` - Generates pedigree notes with confidence levels
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/IPedigreeDataProvider.cs` - Interface
- **Version Comparison Evidence**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/VersionComparisonEvidence.cs` - Version comparison evidence for backport detection
- `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/DeltaSignatureEvidence.cs` - Delta signature evidence
- `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/EvidenceBundle.cs` - Evidence bundle model
- **VEX Gate Integration**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateService.cs` - VEX gate service considering backport status
- `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGatePolicyEvaluator.cs` - Policy evaluator with backport awareness
## E2E Test Plan
- [ ] Scan an AlmaLinux image and verify backport rules are fetched from RHEL OVAL data with 0.95x confidence
- [ ] Scan a Linux Mint image and verify backport rules map from Ubuntu with appropriate confidence penalty
- [ ] Verify cross-family mapping (e.g., Debian rules applied to Ubuntu) uses 0.80x confidence multiplier
- [ ] Verify pedigree output includes derivative distro source attribution
- [ ] Verify backport evidence reduces false positive vulnerability counts for patched packages
---
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |