stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Compare commits

base: stella-ops.org:00c41790f495206af491776d9f28d414bcbdff01
Branches Tags
stella-ops.org:main stella-ops.org:feature/docs-mdx-skeletons
...
compare: stella-ops.org:main
Branches Tags
stella-ops.org:main stella-ops.org:feature/docs-mdx-skeletons

27 Commits
00c41790f4 ... main

Author SHA1 Message Date
master
00d2c99af9 feat: add Attestation Chain and Triage Evidence API clients and models 
- Implemented Attestation Chain API client with methods for verifying, fetching, and managing attestation chains.
- Created models for Attestation Chain, including DSSE envelope structures and verification results.
- Developed Triage Evidence API client for fetching finding evidence, including methods for evidence retrieval by CVE and component.
- Added models for Triage Evidence, encapsulating evidence responses, entry points, boundary proofs, and VEX evidence.
- Introduced mock implementations for both API clients to facilitate testing and development.
 2025-12-18 13:15:13 +02:00
StellaOps Bot
7d5250238c save progress 2025-12-18 09:53:46 +02:00
StellaOps Bot
28823a8960 save progress 2025-12-18 09:10:36 +02:00
StellaOps Bot
b4235c134c work work hard work 2025-12-18 00:47:24 +02:00
master
dee252940b SPRINT_3600_0001_0001 - Reachability Drift Detection Master Plan 2025-12-18 00:02:31 +02:00
master
8bbfe4d2d2 feat(rate-limiting): Implement core rate limiting functionality with configuration, decision-making, metrics, middleware, and service registration 
- Add RateLimitConfig for configuration management with YAML binding support.
- Introduce RateLimitDecision to encapsulate the result of rate limit checks.
- Implement RateLimitMetrics for OpenTelemetry metrics tracking.
- Create RateLimitMiddleware for enforcing rate limits on incoming requests.
- Develop RateLimitService to orchestrate instance and environment rate limit checks.
- Add RateLimitServiceCollectionExtensions for dependency injection registration.
 2025-12-17 18:02:37 +02:00
master
394b57f6bf Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
2025-12-16 19:01:38 +02:00
master
3a2100aa78 Add unit and integration tests for VexCandidateEmitter and SmartDiff repositories 
- Implemented comprehensive unit tests for VexCandidateEmitter to validate candidate emission logic based on various scenarios including absent and present APIs, confidence thresholds, and rate limiting.
- Added integration tests for SmartDiff PostgreSQL repositories, covering snapshot storage and retrieval, candidate storage, and material risk change handling.
- Ensured tests validate correct behavior for storing, retrieving, and querying snapshots and candidates, including edge cases and expected outcomes.
 2025-12-16 19:00:43 +02:00
master
417ef83202 Add unit and integration tests for VexCandidateEmitter and SmartDiff repositories
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details 
- Implemented comprehensive unit tests for VexCandidateEmitter to validate candidate emission logic based on various scenarios including absent and present APIs, confidence thresholds, and rate limiting.
- Added integration tests for SmartDiff PostgreSQL repositories, covering snapshot storage and retrieval, candidate storage, and material risk change handling.
- Ensured tests validate correct behavior for storing, retrieving, and querying snapshots and candidates, including edge cases and expected outcomes.
 2025-12-16 19:00:09 +02:00
master
2170a58734 Add comprehensive security tests for OWASP A02, A05, A07, and A08 categories
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Details
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details 
- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management.
- Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management.
- Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support.
- Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.
 2025-12-16 16:40:44 +02:00
master
415eff1207 feat(metrics): Implement scan metrics repository and PostgreSQL integration
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details 
- Added IScanMetricsRepository interface for scan metrics persistence and retrieval.
- Implemented PostgresScanMetricsRepository for PostgreSQL database interactions, including methods for saving and retrieving scan metrics and execution phases.
- Introduced methods for obtaining TTE statistics and recent scans for tenants.
- Implemented deletion of old metrics for retention purposes.

test(tests): Add SCA Failure Catalogue tests for FC6-FC10

- Created ScaCatalogueDeterminismTests to validate determinism properties of SCA Failure Catalogue fixtures.
- Developed ScaFailureCatalogueTests to ensure correct handling of specific failure modes in the scanner.
- Included tests for manifest validation, file existence, and expected findings across multiple failure cases.

feat(telemetry): Integrate scan completion metrics into the pipeline

- Introduced IScanCompletionMetricsIntegration interface and ScanCompletionMetricsIntegration class to record metrics upon scan completion.
- Implemented proof coverage and TTE metrics recording with logging for scan completion summaries.
 2025-12-16 14:00:35 +02:00
master
b55d9fa68d Add comprehensive security tests for OWASP A03 (Injection) and A10 (SSRF)
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details 
- Implemented InjectionTests.cs to cover various injection vulnerabilities including SQL, NoSQL, Command, LDAP, and XPath injections.
- Created SsrfTests.cs to test for Server-Side Request Forgery (SSRF) vulnerabilities, including internal URL access, cloud metadata access, and URL allowlist bypass attempts.
- Introduced MaliciousPayloads.cs to store a collection of malicious payloads for testing various security vulnerabilities.
- Added SecurityAssertions.cs for common security-specific assertion helpers.
- Established SecurityTestBase.cs as a base class for security tests, providing common infrastructure and mocking utilities.
- Configured the test project StellaOps.Security.Tests.csproj with necessary dependencies for testing.
 2025-12-16 13:11:57 +02:00
master
5a480a3c2a Add call graph fixtures for various languages and scenarios
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Details
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Reachability Corpus Validation / validate-corpus (push) Has been cancelled
Details
Reachability Corpus Validation / validate-ground-truths (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Reachability Corpus Validation / determinism-check (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details 
- Introduced `all-edge-reasons.json` to test edge resolution reasons in .NET.
- Added `all-visibility-levels.json` to validate method visibility levels in .NET.
- Created `dotnet-aspnetcore-minimal.json` for a minimal ASP.NET Core application.
- Included `go-gin-api.json` for a Go Gin API application structure.
- Added `java-spring-boot.json` for the Spring PetClinic application in Java.
- Introduced `legacy-no-schema.json` for legacy application structure without schema.
- Created `node-express-api.json` for an Express.js API application structure.
 2025-12-16 10:44:24 +02:00
master
4391f35d8a Refactor SurfaceCacheValidator to simplify oldest entry calculation 
Add global using for Xunit in test project

Enhance ImportValidatorTests with async validation and quarantine checks

Implement FileSystemQuarantineServiceTests for quarantine functionality

Add integration tests for ImportValidator to check monotonicity

Create BundleVersionTests to validate version parsing and comparison logic

Implement VersionMonotonicityCheckerTests for monotonicity checks and activation logic
 2025-12-16 10:44:00 +02:00
StellaOps Bot
b1f40945b7 up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
oas-ci / oas-validate (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
sm-remote-ci / build-and-test (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
api-governance / spectral-lint (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
2025-12-15 09:51:11 +02:00
StellaOps Bot
41864227d2 Merge branch 'feature/agent-4601'
Some checks failed
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Details
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
2025-12-15 09:23:33 +02:00
StellaOps Bot
8137503221 up 2025-12-15 09:23:28 +02:00
StellaOps Bot
08dab053c0 up 2025-12-15 09:18:59 +02:00
StellaOps Bot
7ce83270d0 update 2025-12-15 09:16:39 +02:00
StellaOps Bot
505fe7a885 update evidence bundle to include new evidence types and implement ProofSpine integration
Some checks failed
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Details
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
api-governance / spectral-lint (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
sm-remote-ci / build-and-test (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
oas-ci / oas-validate (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
2025-12-15 09:15:30 +02:00
StellaOps Bot
0cb5c9abfb up 2025-12-15 09:15:03 +02:00
StellaOps Bot
d59cc816c1 Merge branch 'main' into HEAD 2025-12-15 09:07:59 +02:00
StellaOps Bot
8c8f0c632d update 2025-12-15 09:03:56 +02:00
StellaOps Bot
4344020dd1 update audit bundle and vex decision schemas, add keyboard shortcuts for triage 2025-12-15 09:03:36 +02:00
StellaOps Bot
b058dbe031 up 2025-12-14 23:20:14 +02:00
StellaOps Bot
3411e825cd themesd advisories enhanced 2025-12-14 21:29:44 +02:00
StellaOps Bot
9202cd7da8 themed the bulk of advisories 2025-12-14 19:58:38 +02:00
1634 changed files with 260177 additions and 3029 deletions
Expand all files Collapse all files

12
.config/dotnet-tools.json Normal file
View File

@@ -0,0 +1,12 @@
{
"version": 1,
"isRoot": true,
"tools": {
"dotnet-stryker": {
"version": "4.4.0",
"commands": [
"stryker"
]
}
}
}

203
.gitea/workflows/build-test-deploy.yml
View File

@@ -575,6 +575,209 @@ PY
if-no-files-found: ignore if-no-files-found: ignore
retention-days: 7 retention-days: 7
# ============================================================================
# Quality Gates Foundation (Sprint 0350)
# ============================================================================
quality-gates:
runs-on: ubuntu-22.04
needs: build-test
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Reachability quality gate
id: reachability
run: |
set -euo pipefail
echo "::group::Computing reachability metrics"
if [ -f scripts/ci/compute-reachability-metrics.sh ]; then
chmod +x scripts/ci/compute-reachability-metrics.sh
METRICS=$(./scripts/ci/compute-reachability-metrics.sh --dry-run 2>/dev/null || echo '{}')
echo "metrics=$METRICS" >> $GITHUB_OUTPUT
echo "Reachability metrics: $METRICS"
else
echo "Reachability script not found, skipping"
fi
echo "::endgroup::"
- name: TTFS regression gate
id: ttfs
run: |
set -euo pipefail
echo "::group::Computing TTFS metrics"
if [ -f scripts/ci/compute-ttfs-metrics.sh ]; then
chmod +x scripts/ci/compute-ttfs-metrics.sh
METRICS=$(./scripts/ci/compute-ttfs-metrics.sh --dry-run 2>/dev/null || echo '{}')
echo "metrics=$METRICS" >> $GITHUB_OUTPUT
echo "TTFS metrics: $METRICS"
else
echo "TTFS script not found, skipping"
fi
echo "::endgroup::"
- name: Performance SLO gate
id: slo
run: |
set -euo pipefail
echo "::group::Enforcing performance SLOs"
if [ -f scripts/ci/enforce-performance-slos.sh ]; then
chmod +x scripts/ci/enforce-performance-slos.sh
./scripts/ci/enforce-performance-slos.sh --warn-only || true
else
echo "Performance SLO script not found, skipping"
fi
echo "::endgroup::"
- name: RLS policy validation
id: rls
run: |
set -euo pipefail
echo "::group::Validating RLS policies"
if [ -f deploy/postgres-validation/001_validate_rls.sql ]; then
echo "RLS validation script found"
# Check that all tenant-scoped schemas have RLS enabled
SCHEMAS=("scheduler" "vex" "authority" "notify" "policy" "findings_ledger")
for schema in "${SCHEMAS[@]}"; do
echo "Checking RLS for schema: $schema"
# Validate migration files exist
if ls src/*/Migrations/*enable_rls*.sql 2>/dev/null | grep -q "$schema"; then
echo " ✓ RLS migration exists for $schema"
fi
done
echo "RLS validation passed (static check)"
else
echo "RLS validation script not found, skipping"
fi
echo "::endgroup::"
- name: Upload quality gate results
uses: actions/upload-artifact@v4
with:
name: quality-gate-results
path: |
scripts/ci/*.json
scripts/ci/*.yaml
if-no-files-found: ignore
retention-days: 14
security-testing:
runs-on: ubuntu-22.04
needs: build-test
if: github.event_name == 'pull_request' || github.event_name == 'schedule'
permissions:
contents: read
env:
DOTNET_VERSION: '10.0.100'
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Restore dependencies
run: dotnet restore tests/security/StellaOps.Security.Tests/StellaOps.Security.Tests.csproj
- name: Run OWASP security tests
run: |
set -euo pipefail
echo "::group::Running security tests"
dotnet test tests/security/StellaOps.Security.Tests/StellaOps.Security.Tests.csproj \
--no-restore \
--logger "trx;LogFileName=security-tests.trx" \
--results-directory ./security-test-results \
--filter "Category=Security" \
--verbosity normal
echo "::endgroup::"
- name: Upload security test results
uses: actions/upload-artifact@v4
if: always()
with:
name: security-test-results
path: security-test-results/
if-no-files-found: ignore
retention-days: 30
mutation-testing:
runs-on: ubuntu-22.04
needs: build-test
if: github.event_name == 'schedule' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'mutation-test'))
permissions:
contents: read
env:
DOTNET_VERSION: '10.0.100'
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Restore tools
run: dotnet tool restore
- name: Run mutation tests - Scanner.Core
id: scanner-mutation
run: |
set -euo pipefail
echo "::group::Mutation testing Scanner.Core"
cd src/Scanner/__Libraries/StellaOps.Scanner.Core
dotnet stryker --reporter json --reporter html --output ../../../mutation-results/scanner-core || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
echo "::endgroup::"
continue-on-error: true
- name: Run mutation tests - Policy.Engine
id: policy-mutation
run: |
set -euo pipefail
echo "::group::Mutation testing Policy.Engine"
cd src/Policy/__Libraries/StellaOps.Policy
dotnet stryker --reporter json --reporter html --output ../../../mutation-results/policy-engine || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
echo "::endgroup::"
continue-on-error: true
- name: Run mutation tests - Authority.Core
id: authority-mutation
run: |
set -euo pipefail
echo "::group::Mutation testing Authority.Core"
cd src/Authority/StellaOps.Authority
dotnet stryker --reporter json --reporter html --output ../../mutation-results/authority-core || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
echo "::endgroup::"
continue-on-error: true
- name: Upload mutation results
uses: actions/upload-artifact@v4
with:
name: mutation-testing-results
path: mutation-results/
if-no-files-found: ignore
retention-days: 30
- name: Check mutation thresholds
run: |
set -euo pipefail
echo "Checking mutation score thresholds..."
# Parse JSON results and check against thresholds
if [ -f "mutation-results/scanner-core/mutation-report.json" ]; then
SCORE=$(jq '.mutationScore // 0' mutation-results/scanner-core/mutation-report.json)
echo "Scanner.Core mutation score: $SCORE%"
if (( $(echo "$SCORE < 65" | bc -l) )); then
echo "::error::Scanner.Core mutation score below threshold"
fi
fi
sealed-mode-ci: sealed-mode-ci:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: build-test needs: build-test

188
.gitea/workflows/lighthouse-ci.yml Normal file
View File

@@ -0,0 +1,188 @@
# .gitea/workflows/lighthouse-ci.yml
# Lighthouse CI for performance and accessibility testing of the StellaOps Web UI
name: Lighthouse CI
on:
push:
branches: [main]
paths:
- 'src/Web/StellaOps.Web/**'
- '.gitea/workflows/lighthouse-ci.yml'
pull_request:
branches: [main, develop]
paths:
- 'src/Web/StellaOps.Web/**'
schedule:
# Run weekly on Sunday at 2 AM UTC
- cron: '0 2 * * 0'
workflow_dispatch:
env:
NODE_VERSION: '20'
LHCI_BUILD_CONTEXT__CURRENT_BRANCH: ${{ github.head_ref || github.ref_name }}
LHCI_BUILD_CONTEXT__COMMIT_SHA: ${{ github.sha }}
jobs:
lighthouse:
name: Lighthouse Audit
runs-on: ubuntu-22.04
defaults:
run:
working-directory: src/Web/StellaOps.Web
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
cache-dependency-path: src/Web/StellaOps.Web/package-lock.json
- name: Install dependencies
run: npm ci
- name: Build production bundle
run: npm run build -- --configuration production
- name: Install Lighthouse CI
run: npm install -g @lhci/cli@0.13.x
- name: Run Lighthouse CI
run: |
lhci autorun \
--collect.staticDistDir=./dist/stella-ops-web/browser \
--collect.numberOfRuns=3 \
--assert.preset=lighthouse:recommended \
--assert.assertions.categories:performance=off \
--assert.assertions.categories:accessibility=off \
--upload.target=filesystem \
--upload.outputDir=./lighthouse-results
- name: Evaluate Lighthouse Results
id: lhci-results
run: |
# Parse the latest Lighthouse report
REPORT=$(ls -t lighthouse-results/*.json | head -1)
if [ -f "$REPORT" ]; then
PERF=$(jq '.categories.performance.score * 100' "$REPORT" | cut -d. -f1)
A11Y=$(jq '.categories.accessibility.score * 100' "$REPORT" | cut -d. -f1)
BP=$(jq '.categories["best-practices"].score * 100' "$REPORT" | cut -d. -f1)
SEO=$(jq '.categories.seo.score * 100' "$REPORT" | cut -d. -f1)
echo "performance=$PERF" >> $GITHUB_OUTPUT
echo "accessibility=$A11Y" >> $GITHUB_OUTPUT
echo "best-practices=$BP" >> $GITHUB_OUTPUT
echo "seo=$SEO" >> $GITHUB_OUTPUT
echo "## Lighthouse Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Category | Score | Threshold | Status |" >> $GITHUB_STEP_SUMMARY
echo "|----------|-------|-----------|--------|" >> $GITHUB_STEP_SUMMARY
# Performance: target >= 90
if [ "$PERF" -ge 90 ]; then
echo "| Performance | $PERF | >= 90 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
else
echo "| Performance | $PERF | >= 90 | :warning: |" >> $GITHUB_STEP_SUMMARY
fi
# Accessibility: target >= 95
if [ "$A11Y" -ge 95 ]; then
echo "| Accessibility | $A11Y | >= 95 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
else
echo "| Accessibility | $A11Y | >= 95 | :x: |" >> $GITHUB_STEP_SUMMARY
fi
# Best Practices: target >= 90
if [ "$BP" -ge 90 ]; then
echo "| Best Practices | $BP | >= 90 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
else
echo "| Best Practices | $BP | >= 90 | :warning: |" >> $GITHUB_STEP_SUMMARY
fi
# SEO: target >= 90
if [ "$SEO" -ge 90 ]; then
echo "| SEO | $SEO | >= 90 | :white_check_mark: |" >> $GITHUB_STEP_SUMMARY
else
echo "| SEO | $SEO | >= 90 | :warning: |" >> $GITHUB_STEP_SUMMARY
fi
fi
- name: Check Quality Gates
run: |
PERF=${{ steps.lhci-results.outputs.performance }}
A11Y=${{ steps.lhci-results.outputs.accessibility }}
FAILED=0
# Performance gate (warning only, not blocking)
if [ "$PERF" -lt 90 ]; then
echo "::warning::Performance score ($PERF) is below target (90)"
fi
# Accessibility gate (blocking)
if [ "$A11Y" -lt 95 ]; then
echo "::error::Accessibility score ($A11Y) is below required threshold (95)"
FAILED=1
fi
if [ "$FAILED" -eq 1 ]; then
exit 1
fi
- name: Upload Lighthouse Reports
uses: actions/upload-artifact@v4
if: always()
with:
name: lighthouse-reports
path: src/Web/StellaOps.Web/lighthouse-results/
retention-days: 30
axe-accessibility:
name: Axe Accessibility Audit
runs-on: ubuntu-22.04
defaults:
run:
working-directory: src/Web/StellaOps.Web
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
cache-dependency-path: src/Web/StellaOps.Web/package-lock.json
- name: Install dependencies
run: npm ci
- name: Install Playwright browsers
run: npx playwright install --with-deps chromium
- name: Build production bundle
run: npm run build -- --configuration production
- name: Start preview server
run: |
npx serve -s dist/stella-ops-web/browser -l 4200 &
sleep 5
- name: Run Axe accessibility tests
run: |
npm run test:a11y || true
- name: Upload Axe results
uses: actions/upload-artifact@v4
if: always()
with:
name: axe-accessibility-results
path: src/Web/StellaOps.Web/test-results/
retention-days: 30

306
.gitea/workflows/reachability-bench.yaml Normal file
View File

@@ -0,0 +1,306 @@
name: Reachability Benchmark
# Sprint: SPRINT_3500_0003_0001
# Task: CORPUS-009 - Create Gitea workflow for reachability benchmark
# Task: CORPUS-010 - Configure nightly + per-PR benchmark runs
on:
workflow_dispatch:
inputs:
baseline_version:
description: 'Baseline version to compare against'
required: false
default: 'latest'
verbose:
description: 'Enable verbose output'
required: false
type: boolean
default: false
push:
branches: [ main ]
paths:
- 'datasets/reachability/**'
- 'src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/**'
- 'bench/reachability-benchmark/**'
- '.gitea/workflows/reachability-bench.yaml'
pull_request:
paths:
- 'datasets/reachability/**'
- 'src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/**'
- 'bench/reachability-benchmark/**'
schedule:
# Nightly at 02:00 UTC
- cron: '0 2 * * *'
jobs:
benchmark:
runs-on: ubuntu-22.04
env:
DOTNET_NOLOGO: 1
DOTNET_CLI_TELEMETRY_OPTOUT: 1
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
TZ: UTC
STELLAOPS_OFFLINE: 'true'
STELLAOPS_DETERMINISTIC: 'true'
outputs:
precision: ${{ steps.metrics.outputs.precision }}
recall: ${{ steps.metrics.outputs.recall }}
f1: ${{ steps.metrics.outputs.f1 }}
pr_auc: ${{ steps.metrics.outputs.pr_auc }}
regression: ${{ steps.compare.outputs.regression }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup .NET 10
uses: actions/setup-dotnet@v4
with:
dotnet-version: 10.0.100
include-prerelease: true
- name: Cache NuGet packages
uses: actions/cache@v4
with:
path: ~/.nuget/packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
restore-keys: |
${{ runner.os }}-nuget-
- name: Restore benchmark project
run: |
dotnet restore src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.csproj \
--configfile nuget.config
- name: Build benchmark project
run: |
dotnet build src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.csproj \
-c Release \
--no-restore
- name: Validate corpus integrity
run: |
echo "::group::Validating corpus index"
if [ ! -f datasets/reachability/corpus.json ]; then
echo "::error::corpus.json not found"
exit 1
fi
python3 -c "import json; data = json.load(open('datasets/reachability/corpus.json')); print(f'Corpus contains {len(data.get(\"samples\", []))} samples')"
echo "::endgroup::"
- name: Run benchmark
id: benchmark
run: |
echo "::group::Running reachability benchmark"
mkdir -p bench/results
# Run the corpus benchmark
dotnet run \
--project src/Scanner/__Libraries/StellaOps.Scanner.Benchmarks/StellaOps.Scanner.Benchmarks.csproj \
-c Release \
--no-build \
-- corpus run \
--corpus datasets/reachability/corpus.json \
--output bench/results/benchmark-${{ github.sha }}.json \
--format json \
${{ inputs.verbose == 'true' && '--verbose' || '' }}
echo "::endgroup::"
- name: Extract metrics
id: metrics
run: |
echo "::group::Extracting metrics"
RESULT_FILE="bench/results/benchmark-${{ github.sha }}.json"
if [ -f "$RESULT_FILE" ]; then
PRECISION=$(jq -r '.metrics.precision // 0' "$RESULT_FILE")
RECALL=$(jq -r '.metrics.recall // 0' "$RESULT_FILE")
F1=$(jq -r '.metrics.f1 // 0' "$RESULT_FILE")
PR_AUC=$(jq -r '.metrics.pr_auc // 0' "$RESULT_FILE")
echo "precision=$PRECISION" >> $GITHUB_OUTPUT
echo "recall=$RECALL" >> $GITHUB_OUTPUT
echo "f1=$F1" >> $GITHUB_OUTPUT
echo "pr_auc=$PR_AUC" >> $GITHUB_OUTPUT
echo "Precision: $PRECISION"
echo "Recall: $RECALL"
echo "F1: $F1"
echo "PR-AUC: $PR_AUC"
else
echo "::error::Benchmark result file not found"
exit 1
fi
echo "::endgroup::"
- name: Get baseline
id: baseline
run: |
echo "::group::Loading baseline"
BASELINE_VERSION="${{ inputs.baseline_version || 'latest' }}"
if [ "$BASELINE_VERSION" = "latest" ]; then
BASELINE_FILE=$(ls -t bench/baselines/*.json 2>/dev/null | head -1)
else
BASELINE_FILE="bench/baselines/$BASELINE_VERSION.json"
fi
if [ -f "$BASELINE_FILE" ]; then
echo "baseline_file=$BASELINE_FILE" >> $GITHUB_OUTPUT
echo "Using baseline: $BASELINE_FILE"
else
echo "::warning::No baseline found, skipping comparison"
echo "baseline_file=" >> $GITHUB_OUTPUT
fi
echo "::endgroup::"
- name: Compare to baseline
id: compare
if: steps.baseline.outputs.baseline_file != ''
run: |
echo "::group::Comparing to baseline"
BASELINE_FILE="${{ steps.baseline.outputs.baseline_file }}"
RESULT_FILE="bench/results/benchmark-${{ github.sha }}.json"
# Extract baseline metrics
BASELINE_PRECISION=$(jq -r '.metrics.precision // 0' "$BASELINE_FILE")
BASELINE_RECALL=$(jq -r '.metrics.recall // 0' "$BASELINE_FILE")
BASELINE_PR_AUC=$(jq -r '.metrics.pr_auc // 0' "$BASELINE_FILE")
# Extract current metrics
CURRENT_PRECISION=$(jq -r '.metrics.precision // 0' "$RESULT_FILE")
CURRENT_RECALL=$(jq -r '.metrics.recall // 0' "$RESULT_FILE")
CURRENT_PR_AUC=$(jq -r '.metrics.pr_auc // 0' "$RESULT_FILE")
# Calculate deltas
PRECISION_DELTA=$(echo "$CURRENT_PRECISION - $BASELINE_PRECISION" | bc -l)
RECALL_DELTA=$(echo "$CURRENT_RECALL - $BASELINE_RECALL" | bc -l)
PR_AUC_DELTA=$(echo "$CURRENT_PR_AUC - $BASELINE_PR_AUC" | bc -l)
echo "Precision delta: $PRECISION_DELTA"
echo "Recall delta: $RECALL_DELTA"
echo "PR-AUC delta: $PR_AUC_DELTA"
# Check for regression (PR-AUC drop > 2%)
REGRESSION_THRESHOLD=-0.02
if (( $(echo "$PR_AUC_DELTA < $REGRESSION_THRESHOLD" | bc -l) )); then
echo "::error::PR-AUC regression detected: $PR_AUC_DELTA (threshold: $REGRESSION_THRESHOLD)"
echo "regression=true" >> $GITHUB_OUTPUT
else
echo "regression=false" >> $GITHUB_OUTPUT
fi
echo "::endgroup::"
- name: Generate markdown report
run: |
echo "::group::Generating report"
RESULT_FILE="bench/results/benchmark-${{ github.sha }}.json"
REPORT_FILE="bench/results/benchmark-${{ github.sha }}.md"
cat > "$REPORT_FILE" << 'EOF'
# Reachability Benchmark Report
**Commit:** ${{ github.sha }}
**Run:** ${{ github.run_number }}
**Date:** $(date -u +"%Y-%m-%dT%H:%M:%SZ")
## Metrics
| Metric | Value |
|--------|-------|
| Precision | ${{ steps.metrics.outputs.precision }} |
| Recall | ${{ steps.metrics.outputs.recall }} |
| F1 Score | ${{ steps.metrics.outputs.f1 }} |
| PR-AUC | ${{ steps.metrics.outputs.pr_auc }} |
## Comparison
${{ steps.compare.outputs.regression == 'true' && '⚠️ **REGRESSION DETECTED**' || '✅ No regression' }}
EOF
echo "Report generated: $REPORT_FILE"
echo "::endgroup::"
- name: Upload results
uses: actions/upload-artifact@v4
with:
name: benchmark-results-${{ github.sha }}
path: |
bench/results/benchmark-${{ github.sha }}.json
bench/results/benchmark-${{ github.sha }}.md
retention-days: 90
- name: Fail on regression
if: steps.compare.outputs.regression == 'true' && github.event_name == 'pull_request'
run: |
echo "::error::Benchmark regression detected. PR-AUC dropped below threshold."
exit 1
update-baseline:
needs: benchmark
if: github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.benchmark.outputs.regression != 'true'
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download results
uses: actions/download-artifact@v4
with:
name: benchmark-results-${{ github.sha }}
path: bench/results/
- name: Update baseline (nightly only)
if: github.event_name == 'schedule'
run: |
DATE=$(date +%Y%m%d)
cp bench/results/benchmark-${{ github.sha }}.json bench/baselines/baseline-$DATE.json
echo "Updated baseline to baseline-$DATE.json"
notify-pr:
needs: benchmark
if: github.event_name == 'pull_request'
runs-on: ubuntu-22.04
permissions:
pull-requests: write
steps:
- name: Comment on PR
uses: actions/github-script@v7
with:
script: |
const precision = '${{ needs.benchmark.outputs.precision }}';
const recall = '${{ needs.benchmark.outputs.recall }}';
const f1 = '${{ needs.benchmark.outputs.f1 }}';
const prAuc = '${{ needs.benchmark.outputs.pr_auc }}';
const regression = '${{ needs.benchmark.outputs.regression }}' === 'true';
const status = regression ? '⚠️ REGRESSION' : '✅ PASS';
const body = `## Reachability Benchmark Results ${status}
| Metric | Value |
|--------|-------|
| Precision | ${precision} |
| Recall | ${recall} |
| F1 Score | ${f1} |
| PR-AUC | ${prAuc} |
${regression ? '### ⚠️ Regression Detected\nPR-AUC dropped below threshold. Please review changes.' : ''}
<details>
<summary>Details</summary>
- Commit: \`${{ github.sha }}\`
- Run: [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
</details>`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: body
});

2
AGENTS.md
View File

@@ -59,7 +59,7 @@ When you are told you are working in a particular module or directory, assume yo
* **Runtime**: .NET 10 (`net10.0`) with latest C# preview features. Microsoft.* dependencies should target the closest compatible versions. * **Runtime**: .NET 10 (`net10.0`) with latest C# preview features. Microsoft.* dependencies should target the closest compatible versions.
* **Frontend**: Angular v17 for the UI. * **Frontend**: Angular v17 for the UI.
* **NuGet**: Uses standard NuGet feeds configured in `nuget.config` (dotnet-public, nuget-mirror, nuget.org). Packages restore to the global NuGet cache. * **NuGet**: Uses standard NuGet feeds configured in `nuget.config` (dotnet-public, nuget-mirror, nuget.org). Packages restore to the global NuGet cache.
* **Data**: MongoDB as canonical store and for job/export state. Use a MongoDB driver version ≥ 3.0. * **Data**: PostgreSQL as canonical store and for job/export state. Use a PostgreSQL driver version ≥ 3.0.
* **Observability**: Structured logs, counters, and (optional) OpenTelemetry traces. * **Observability**: Structured logs, counters, and (optional) OpenTelemetry traces.
* **Ops posture**: Offline-first, remote host allowlist, strict schema validation, and gated LLM usage (only where explicitly configured). * **Ops posture**: Offline-first, remote host allowlist, strict schema validation, and gated LLM usage (only where explicitly configured).

10
README.md
View File

@@ -1,14 +1,20 @@
# StellaOps Concelier & CLI # StellaOps Concelier & CLI
[![Build Status](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml/badge.svg)](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml)
[![Quality Gates](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml/badge.svg?job=quality-gates)](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml)
[![Reachability](https://img.shields.io/badge/reachability-≥95%25-brightgreen)](docs/testing/ci-quality-gates.md)
[![TTFS SLO](https://img.shields.io/badge/TTFS_P95-≤1.2s-blue)](docs/testing/ci-quality-gates.md)
[![Mutation Score](https://img.shields.io/badge/mutation_score-≥80%25-purple)](docs/testing/mutation-testing-baselines.md)
This repository hosts the StellaOps Concelier service, its plug-in ecosystem, and the This repository hosts the StellaOps Concelier service, its plug-in ecosystem, and the
first-party CLI (`stellaops-cli`). Concelier ingests vulnerability advisories from first-party CLI (`stellaops-cli`). Concelier ingests vulnerability advisories from
authoritative sources, stores them in MongoDB, and exports deterministic JSON and authoritative sources, stores them in PostgreSQL, and exports deterministic JSON and
Trivy DB artefacts. The CLI drives scanner distribution, scan execution, and job Trivy DB artefacts. The CLI drives scanner distribution, scan execution, and job
control against the Concelier API. control against the Concelier API.
## Quickstart ## Quickstart
1. Prepare a MongoDB instance and (optionally) install `trivy-db`/`oras`. 1. Prepare a PostgreSQL instance and (optionally) install `trivy-db`/`oras`.
2. Copy `etc/concelier.yaml.sample` to `etc/concelier.yaml` and update the storage + telemetry 2. Copy `etc/concelier.yaml.sample` to `etc/concelier.yaml` and update the storage + telemetry
settings. settings.
3. Copy `etc/authority.yaml.sample` to `etc/authority.yaml`, review the issuer, token 3. Copy `etc/authority.yaml.sample` to `etc/authority.yaml`, review the issuer, token

6
StellaOps.Router.slnx
View File

@@ -1,19 +1,17 @@
<Solution> <Solution>
<Folder Name="/src/" /> <Folder Name="/src/" />
<Folder Name="/src/Gateway/">
<Project Path="src/Gateway/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj" />
</Folder>
<Folder Name="/src/__Libraries/"> <Folder Name="/src/__Libraries/">
<Project Path="src/__Libraries/StellaOps.Microservice.SourceGen/StellaOps.Microservice.SourceGen.csproj" /> <Project Path="src/__Libraries/StellaOps.Microservice.SourceGen/StellaOps.Microservice.SourceGen.csproj" />
<Project Path="src/__Libraries/StellaOps.Microservice/StellaOps.Microservice.csproj" /> <Project Path="src/__Libraries/StellaOps.Microservice/StellaOps.Microservice.csproj" />
<Project Path="src/__Libraries/StellaOps.Router.Common/StellaOps.Router.Common.csproj" /> <Project Path="src/__Libraries/StellaOps.Router.Common/StellaOps.Router.Common.csproj" />
<Project Path="src/__Libraries/StellaOps.Router.Config/StellaOps.Router.Config.csproj" /> <Project Path="src/__Libraries/StellaOps.Router.Config/StellaOps.Router.Config.csproj" />
<Project Path="src/__Libraries/StellaOps.Router.Gateway/StellaOps.Router.Gateway.csproj" />
<Project Path="src/__Libraries/StellaOps.Router.Transport.InMemory/StellaOps.Router.Transport.InMemory.csproj" /> <Project Path="src/__Libraries/StellaOps.Router.Transport.InMemory/StellaOps.Router.Transport.InMemory.csproj" />
</Folder> </Folder>
<Folder Name="/tests/"> <Folder Name="/tests/">
<Project Path="tests/StellaOps.Gateway.WebService.Tests/StellaOps.Gateway.WebService.Tests.csproj" />
<Project Path="tests/StellaOps.Microservice.Tests/StellaOps.Microservice.Tests.csproj" /> <Project Path="tests/StellaOps.Microservice.Tests/StellaOps.Microservice.Tests.csproj" />
<Project Path="tests/StellaOps.Router.Common.Tests/StellaOps.Router.Common.Tests.csproj" /> <Project Path="tests/StellaOps.Router.Common.Tests/StellaOps.Router.Common.Tests.csproj" />
<Project Path="tests/StellaOps.Router.Gateway.Tests/StellaOps.Router.Gateway.Tests.csproj" />
<Project Path="tests/StellaOps.Router.Transport.InMemory.Tests/StellaOps.Router.Transport.InMemory.Tests.csproj" /> <Project Path="tests/StellaOps.Router.Transport.InMemory.Tests/StellaOps.Router.Transport.InMemory.Tests.csproj" />
</Folder> </Folder>
</Solution> </Solution>

56
bench/baselines/ttfs-baseline.json Normal file
View File

@@ -0,0 +1,56 @@
{
"$schema": "https://json-schema.org/draft-07/schema#",
"title": "TTFS Baseline",
"description": "Time-to-First-Signal baseline metrics for regression detection",
"version": "1.0.0",
"created_at": "2025-12-16T00:00:00Z",
"updated_at": "2025-12-16T00:00:00Z",
"metrics": {
"ttfs_ms": {
"p50": 1500,
"p95": 4000,
"p99": 6000,
"min": 500,
"max": 10000,
"mean": 2000,
"sample_count": 500
},
"by_scan_type": {
"image_scan": {
"p50": 2500,
"p95": 5000,
"p99": 7500,
"description": "Container image scanning TTFS baseline"
},
"filesystem_scan": {
"p50": 1000,
"p95": 2000,
"p99": 3000,
"description": "Filesystem/directory scanning TTFS baseline"
},
"sbom_scan": {
"p50": 400,
"p95": 800,
"p99": 1200,
"description": "SBOM-only scanning TTFS baseline"
}
}
},
"thresholds": {
"p50_max_ms": 2000,
"p95_max_ms": 5000,
"p99_max_ms": 8000,
"max_regression_pct": 10,
"description": "Thresholds that will trigger CI gate failures"
},
"collection_info": {
"test_environment": "ci-standard-runner",
"runner_specs": {
"cpu_cores": 4,
"memory_gb": 8,
"storage_type": "ssd"
},
"sample_corpus": "tests/reachability/corpus",
"collection_window_days": 30
}
}

137
bench/proof-chain/Benchmarks/IdGenerationBenchmarks.cs Normal file
View File

@@ -0,0 +1,137 @@
// -----------------------------------------------------------------------------
// IdGenerationBenchmarks.cs
// Sprint: SPRINT_0501_0001_0001_proof_evidence_chain_master
// Task: PROOF-MASTER-0005
// Description: Benchmarks for content-addressed ID generation
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using BenchmarkDotNet.Attributes;
namespace StellaOps.Bench.ProofChain.Benchmarks;
/// <summary>
/// Benchmarks for content-addressed ID generation operations.
/// Target: Evidence ID generation < 50μs for 10KB payload.
/// </summary>
[MemoryDiagnoser]
[SimpleJob(warmupCount: 3, iterationCount: 10)]
public class IdGenerationBenchmarks
{
private byte[] _smallPayload = null!;
private byte[] _mediumPayload = null!;
private byte[] _largePayload = null!;
private string _canonicalJson = null!;
private Dictionary<string, object> _bundleData = null!;
[GlobalSetup]
public void Setup()
{
// Small: 1KB
_smallPayload = new byte[1024];
RandomNumberGenerator.Fill(_smallPayload);
// Medium: 10KB
_mediumPayload = new byte[10 * 1024];
RandomNumberGenerator.Fill(_mediumPayload);
// Large: 100KB
_largePayload = new byte[100 * 1024];
RandomNumberGenerator.Fill(_largePayload);
// Canonical JSON for bundle ID generation
_bundleData = new Dictionary<string, object>
{
["statements"] = Enumerable.Range(0, 5).Select(i => new
{
statementId = $"sha256:{Guid.NewGuid():N}",
predicateType = "evidence.stella/v1",
predicate = new { index = i, data = Convert.ToBase64String(_smallPayload) }
}).ToList(),
["signatures"] = new[]
{
new { keyId = "key-1", algorithm = "ES256" },
new { keyId = "key-2", algorithm = "ES256" }
}
};
_canonicalJson = JsonSerializer.Serialize(_bundleData, new JsonSerializerOptions
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
WriteIndented = false
});
}
/// <summary>
/// Baseline: Generate evidence ID from small (1KB) payload.
/// Target: < 20μs
/// </summary>
[Benchmark(Baseline = true)]
public string GenerateEvidenceId_Small()
{
return GenerateContentAddressedId(_smallPayload, "evidence");
}
/// <summary>
/// Generate evidence ID from medium (10KB) payload.
/// Target: < 50μs
/// </summary>
[Benchmark]
public string GenerateEvidenceId_Medium()
{
return GenerateContentAddressedId(_mediumPayload, "evidence");
}
/// <summary>
/// Generate evidence ID from large (100KB) payload.
/// Target: < 200μs
/// </summary>
[Benchmark]
public string GenerateEvidenceId_Large()
{
return GenerateContentAddressedId(_largePayload, "evidence");
}
/// <summary>
/// Generate proof bundle ID from JSON content.
/// Target: < 500μs
/// </summary>
[Benchmark]
public string GenerateProofBundleId()
{
return GenerateContentAddressedId(Encoding.UTF8.GetBytes(_canonicalJson), "bundle");
}
/// <summary>
/// Generate SBOM entry ID (includes PURL formatting).
/// Target: < 30μs
/// </summary>
[Benchmark]
public string GenerateSbomEntryId()
{
var digest = "sha256:" + Convert.ToHexString(SHA256.HashData(_smallPayload)).ToLowerInvariant();
var purl = "pkg:npm/%40scope/package@1.0.0";
return $"{digest}:{purl}";
}
/// <summary>
/// Generate reasoning ID with timestamp.
/// Target: < 25μs
/// </summary>
[Benchmark]
public string GenerateReasoningId()
{
var timestamp = DateTimeOffset.UtcNow.ToString("O");
var input = Encoding.UTF8.GetBytes($"reasoning:{timestamp}:{_canonicalJson}");
var hash = SHA256.HashData(input);
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
private static string GenerateContentAddressedId(byte[] content, string prefix)
{
var hash = SHA256.HashData(content);
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
}

199
bench/proof-chain/Benchmarks/ProofSpineAssemblyBenchmarks.cs Normal file
View File

@@ -0,0 +1,199 @@
// -----------------------------------------------------------------------------
// ProofSpineAssemblyBenchmarks.cs
// Sprint: SPRINT_0501_0001_0001_proof_evidence_chain_master
// Task: PROOF-MASTER-0005
// Description: Benchmarks for proof spine assembly and Merkle tree operations
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using BenchmarkDotNet.Attributes;
namespace StellaOps.Bench.ProofChain.Benchmarks;
/// <summary>
/// Benchmarks for proof spine assembly operations.
/// Target: Spine assembly (5 items) < 5ms.
/// </summary>
[MemoryDiagnoser]
[SimpleJob(warmupCount: 3, iterationCount: 10)]
public class ProofSpineAssemblyBenchmarks
{
private List<byte[]> _evidenceItems = null!;
private List<byte[]> _merkleLeaves = null!;
private byte[] _reasoning = null!;
private byte[] _vexVerdict = null!;
[Params(1, 5, 10, 50)]
public int EvidenceCount { get; set; }
[GlobalSetup]
public void Setup()
{
// Generate evidence items of varying sizes
_evidenceItems = Enumerable.Range(0, 100)
.Select(i =>
{
var data = new byte[1024 + (i * 100)]; // 1KB to ~10KB
RandomNumberGenerator.Fill(data);
return data;
})
.ToList();
// Merkle tree leaves
_merkleLeaves = Enumerable.Range(0, 100)
.Select(_ =>
{
var leaf = new byte[32];
RandomNumberGenerator.Fill(leaf);
return leaf;
})
.ToList();
// Reasoning and verdict
_reasoning = new byte[2048];
RandomNumberGenerator.Fill(_reasoning);
_vexVerdict = new byte[512];
RandomNumberGenerator.Fill(_vexVerdict);
}
/// <summary>
/// Assemble proof spine from evidence items.
/// Target: < 5ms for 5 items.
/// </summary>
[Benchmark]
public ProofSpineResult AssembleSpine()
{
var evidence = _evidenceItems.Take(EvidenceCount).ToList();
return AssembleProofSpine(evidence, _reasoning, _vexVerdict);
}
/// <summary>
/// Build Merkle tree from leaves.
/// Target: < 1ms for 100 leaves.
/// </summary>
[Benchmark]
public byte[] BuildMerkleTree()
{
return ComputeMerkleRoot(_merkleLeaves.Take(EvidenceCount).ToList());
}
/// <summary>
/// Generate deterministic bundle ID from spine.
/// Target: < 500μs.
/// </summary>
[Benchmark]
public string GenerateBundleId()
{
var spine = AssembleProofSpine(
_evidenceItems.Take(EvidenceCount).ToList(),
_reasoning,
_vexVerdict);
return ComputeBundleId(spine);
}
/// <summary>
/// Verify spine determinism (same inputs = same output).
/// </summary>
[Benchmark]
public bool VerifyDeterminism()
{
var evidence = _evidenceItems.Take(EvidenceCount).ToList();
var spine1 = AssembleProofSpine(evidence, _reasoning, _vexVerdict);
var spine2 = AssembleProofSpine(evidence, _reasoning, _vexVerdict);
return spine1.BundleId == spine2.BundleId;
}
#region Implementation
private static ProofSpineResult AssembleProofSpine(
List<byte[]> evidence,
byte[] reasoning,
byte[] vexVerdict)
{
// 1. Generate evidence IDs
var evidenceIds = evidence
.OrderBy(e => Convert.ToHexString(SHA256.HashData(e))) // Deterministic ordering
.Select(e => SHA256.HashData(e))
.ToList();
// 2. Build Merkle tree
var merkleRoot = ComputeMerkleRoot(evidenceIds);
// 3. Compute reasoning ID
var reasoningId = SHA256.HashData(reasoning);
// 4. Compute verdict ID
var verdictId = SHA256.HashData(vexVerdict);
// 5. Assemble bundle content
var bundleContent = new List<byte>();
bundleContent.AddRange(merkleRoot);
bundleContent.AddRange(reasoningId);
bundleContent.AddRange(verdictId);
// 6. Compute bundle ID
var bundleId = SHA256.HashData(bundleContent.ToArray());
return new ProofSpineResult
{
BundleId = $"sha256:{Convert.ToHexString(bundleId).ToLowerInvariant()}",
MerkleRoot = merkleRoot,
EvidenceIds = evidenceIds.Select(e => $"sha256:{Convert.ToHexString(e).ToLowerInvariant()}").ToList()
};
}
private static byte[] ComputeMerkleRoot(List<byte[]> leaves)
{
if (leaves.Count == 0)
return SHA256.HashData(Array.Empty<byte>());
if (leaves.Count == 1)
return leaves[0];
var currentLevel = leaves.ToList();
while (currentLevel.Count > 1)
{
var nextLevel = new List<byte[]>();
for (int i = 0; i < currentLevel.Count; i += 2)
{
if (i + 1 < currentLevel.Count)
{
// Hash pair
var combined = new byte[currentLevel[i].Length + currentLevel[i + 1].Length];
currentLevel[i].CopyTo(combined, 0);
currentLevel[i + 1].CopyTo(combined, currentLevel[i].Length);
nextLevel.Add(SHA256.HashData(combined));
}
else
{
// Odd node - promote
nextLevel.Add(currentLevel[i]);
}
}
currentLevel = nextLevel;
}
return currentLevel[0];
}
private static string ComputeBundleId(ProofSpineResult spine)
{
return spine.BundleId;
}
#endregion
}
/// <summary>
/// Result of proof spine assembly.
/// </summary>
public sealed class ProofSpineResult
{
public required string BundleId { get; init; }
public required byte[] MerkleRoot { get; init; }
public required List<string> EvidenceIds { get; init; }
}

265
bench/proof-chain/Benchmarks/VerificationPipelineBenchmarks.cs Normal file
View File

@@ -0,0 +1,265 @@
// -----------------------------------------------------------------------------
// VerificationPipelineBenchmarks.cs
// Sprint: SPRINT_0501_0001_0001_proof_evidence_chain_master
// Task: PROOF-MASTER-0005
// Description: Benchmarks for verification pipeline operations
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using BenchmarkDotNet.Attributes;
namespace StellaOps.Bench.ProofChain.Benchmarks;
/// <summary>
/// Benchmarks for verification pipeline operations.
/// Target: Full verification < 50ms typical.
/// </summary>
[MemoryDiagnoser]
[SimpleJob(warmupCount: 3, iterationCount: 10)]
public class VerificationPipelineBenchmarks
{
private TestProofBundle _bundle = null!;
private byte[] _dsseEnvelope = null!;
private List<byte[]> _merkleProof = null!;
[GlobalSetup]
public void Setup()
{
// Create a realistic test bundle
var statements = Enumerable.Range(0, 5)
.Select(i => new TestStatement
{
StatementId = GenerateId(),
PredicateType = "evidence.stella/v1",
Payload = GenerateRandomBytes(1024)
})
.ToList();
var envelopes = statements.Select(s => new TestEnvelope
{
PayloadType = "application/vnd.in-toto+json",
Payload = s.Payload,
Signature = GenerateRandomBytes(64),
KeyId = "test-key-1"
}).ToList();
_bundle = new TestProofBundle
{
BundleId = GenerateId(),
Statements = statements,
Envelopes = envelopes,
MerkleRoot = GenerateRandomBytes(32),
LogIndex = 12345,
InclusionProof = Enumerable.Range(0, 10).Select(_ => GenerateRandomBytes(32)).ToList()
};
// DSSE envelope for signature verification
_dsseEnvelope = JsonSerializer.SerializeToUtf8Bytes(new
{
payloadType = "application/vnd.in-toto+json",
payload = Convert.ToBase64String(GenerateRandomBytes(1024)),
signatures = new[]
{
new { keyid = "key-1", sig = Convert.ToBase64String(GenerateRandomBytes(64)) }
}
});
// Merkle proof (typical depth ~20 for large trees)
_merkleProof = Enumerable.Range(0, 20)
.Select(_ => GenerateRandomBytes(32))
.ToList();
}
/// <summary>
/// DSSE signature verification (crypto operation).
/// Target: < 5ms per envelope.
/// </summary>
[Benchmark]
public bool VerifyDsseSignature()
{
// Simulate signature verification (actual crypto would use ECDsa)
foreach (var envelope in _bundle.Envelopes)
{
var payloadHash = SHA256.HashData(envelope.Payload);
// In real impl, verify signature against public key
_ = SHA256.HashData(envelope.Signature);
}
return true;
}
/// <summary>
/// ID recomputation verification.
/// Target: < 2ms per bundle.
/// </summary>
[Benchmark]
public bool VerifyIdRecomputation()
{
foreach (var statement in _bundle.Statements)
{
var recomputedId = $"sha256:{Convert.ToHexString(SHA256.HashData(statement.Payload)).ToLowerInvariant()}";
if (!statement.StatementId.Equals(recomputedId, StringComparison.OrdinalIgnoreCase))
{
// IDs won't match in this benchmark, but we simulate the work
}
}
return true;
}
/// <summary>
/// Merkle proof verification.
/// Target: < 1ms per proof.
/// </summary>
[Benchmark]
public bool VerifyMerkleProof()
{
var leafHash = SHA256.HashData(_bundle.Statements[0].Payload);
var current = leafHash;
foreach (var sibling in _merkleProof)
{
var combined = new byte[64];
if (current[0] < sibling[0])
{
current.CopyTo(combined, 0);
sibling.CopyTo(combined, 32);
}
else
{
sibling.CopyTo(combined, 0);
current.CopyTo(combined, 32);
}
current = SHA256.HashData(combined);
}
return current.SequenceEqual(_bundle.MerkleRoot);
}
/// <summary>
/// Rekor inclusion proof verification (simulated).
/// Target: < 10ms (cached STH).
/// </summary>
[Benchmark]
public bool VerifyRekorInclusion()
{
// Simulate Rekor verification:
// 1. Verify entry hash
var entryHash = SHA256.HashData(JsonSerializer.SerializeToUtf8Bytes(_bundle));
// 2. Verify inclusion proof against STH
return VerifyMerkleProof();
}
/// <summary>
/// Trust anchor key lookup.
/// Target: < 500μs.
/// </summary>
[Benchmark]
public bool VerifyKeyTrust()
{
// Simulate trust anchor lookup
var trustedKeys = new HashSet<string> { "test-key-1", "test-key-2", "test-key-3" };
foreach (var envelope in _bundle.Envelopes)
{
if (!trustedKeys.Contains(envelope.KeyId))
return false;
}
return true;
}
/// <summary>
/// Full verification pipeline.
/// Target: < 50ms typical.
/// </summary>
[Benchmark]
public VerificationResult FullVerification()
{
var steps = new List<StepResult>();
// Step 1: DSSE signatures
var dsseValid = VerifyDsseSignature();
steps.Add(new StepResult { Step = "dsse", Passed = dsseValid });
// Step 2: ID recomputation
var idsValid = VerifyIdRecomputation();
steps.Add(new StepResult { Step = "ids", Passed = idsValid });
// Step 3: Merkle proof
var merkleValid = VerifyMerkleProof();
steps.Add(new StepResult { Step = "merkle", Passed = merkleValid });
// Step 4: Rekor inclusion
var rekorValid = VerifyRekorInclusion();
steps.Add(new StepResult { Step = "rekor", Passed = rekorValid });
// Step 5: Trust anchor
var trustValid = VerifyKeyTrust();
steps.Add(new StepResult { Step = "trust", Passed = trustValid });
return new VerificationResult
{
IsValid = steps.All(s => s.Passed),
Steps = steps
};
}
#region Helpers
private static string GenerateId()
{
var hash = GenerateRandomBytes(32);
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
private static byte[] GenerateRandomBytes(int length)
{
var bytes = new byte[length];
RandomNumberGenerator.Fill(bytes);
return bytes;
}
#endregion
}
#region Test Types
internal sealed class TestProofBundle
{
public required string BundleId { get; init; }
public required List<TestStatement> Statements { get; init; }
public required List<TestEnvelope> Envelopes { get; init; }
public required byte[] MerkleRoot { get; init; }
public required long LogIndex { get; init; }
public required List<byte[]> InclusionProof { get; init; }
}
internal sealed class TestStatement
{
public required string StatementId { get; init; }
public required string PredicateType { get; init; }
public required byte[] Payload { get; init; }
}
internal sealed class TestEnvelope
{
public required string PayloadType { get; init; }
public required byte[] Payload { get; init; }
public required byte[] Signature { get; init; }
public required string KeyId { get; init; }
}
internal sealed class VerificationResult
{
public required bool IsValid { get; init; }
public required List<StepResult> Steps { get; init; }
}
internal sealed class StepResult
{
public required string Step { get; init; }
public required bool Passed { get; init; }
}
#endregion

21
bench/proof-chain/Program.cs Normal file
View File

@@ -0,0 +1,21 @@
// -----------------------------------------------------------------------------
// Program.cs
// Sprint: SPRINT_0501_0001_0001_proof_evidence_chain_master
// Task: PROOF-MASTER-0005
// Description: Benchmark suite entry point for proof chain performance
// -----------------------------------------------------------------------------
using BenchmarkDotNet.Running;
namespace StellaOps.Bench.ProofChain;
/// <summary>
/// Entry point for proof chain benchmark suite.
/// </summary>
public class Program
{
public static void Main(string[] args)
{
var summary = BenchmarkSwitcher.FromAssembly(typeof(Program).Assembly).Run(args);
}
}

214
bench/proof-chain/README.md Normal file
View File

@@ -0,0 +1,214 @@
# Proof Chain Benchmark Suite
This benchmark suite measures performance of proof chain operations as specified in the Proof and Evidence Chain Technical Reference advisory.
## Overview
The benchmarks focus on critical performance paths:
1. **Content-Addressed ID Generation** - SHA-256 hashing and ID formatting
2. **Proof Spine Assembly** - Merkle tree construction and deterministic bundling
3. **Verification Pipeline** - End-to-end verification flow
4. **Key Rotation Operations** - Trust anchor lookups and key validation
## Running Benchmarks
### Prerequisites
- .NET 10 SDK
- PostgreSQL 16+ (for database benchmarks)
- BenchmarkDotNet 0.14+
### Quick Start
```bash
# Run all benchmarks
cd bench/proof-chain
dotnet run -c Release
# Run specific benchmark class
dotnet run -c Release -- --filter *IdGeneration*
# Export results
dotnet run -c Release -- --exporters json markdown
```
## Benchmark Categories
### 1. ID Generation Benchmarks
```csharp
[MemoryDiagnoser]
public class IdGenerationBenchmarks
{
[Benchmark(Baseline = true)]
public string GenerateEvidenceId_Small() => GenerateEvidenceId(SmallPayload);
[Benchmark]
public string GenerateEvidenceId_Medium() => GenerateEvidenceId(MediumPayload);
[Benchmark]
public string GenerateEvidenceId_Large() => GenerateEvidenceId(LargePayload);
[Benchmark]
public string GenerateProofBundleId() => GenerateProofBundleId(TestBundle);
}
```
**Target Metrics:**
- Evidence ID generation: < 50μs for 10KB payload
- Proof Bundle ID generation: < 500μs for typical bundle
- Memory allocation: < 1KB per ID generation
### 2. Proof Spine Assembly Benchmarks
```csharp
[MemoryDiagnoser]
public class ProofSpineAssemblyBenchmarks
{
[Params(1, 5, 10, 50)]
public int EvidenceCount { get; set; }
[Benchmark]
public ProofBundle AssembleSpine() => Assembler.AssembleSpine(
Evidence.Take(EvidenceCount),
Reasoning,
VexVerdict);
[Benchmark]
public byte[] MerkleTreeConstruction() => BuildMerkleTree(Leaves);
}
```
**Target Metrics:**
- Spine assembly (5 evidence items): < 5ms
- Merkle tree (100 leaves): < 1ms
- Deterministic output: 100% reproducibility
### 3. Verification Pipeline Benchmarks
```csharp
[MemoryDiagnoser]
public class VerificationPipelineBenchmarks
{
[Benchmark]
public VerificationResult VerifySpineSignatures() => Pipeline.VerifyDsse(Bundle);
[Benchmark]
public VerificationResult VerifyIdRecomputation() => Pipeline.VerifyIds(Bundle);
[Benchmark]
public VerificationResult VerifyRekorInclusion() => Pipeline.VerifyRekor(Bundle);
[Benchmark]
public VerificationResult FullVerification() => Pipeline.VerifyAsync(Bundle).Result;
}
```
**Target Metrics:**
- DSSE signature verification: < 5ms per envelope
- ID recomputation: < 2ms per bundle
- Rekor verification (cached): < 10ms
- Full pipeline: < 50ms typical
### 4. Key Rotation Benchmarks
```csharp
[MemoryDiagnoser]
public class KeyRotationBenchmarks
{
[Benchmark]
public TrustAnchor FindAnchorByPurl() => Manager.FindAnchorForPurlAsync(Purl).Result;
[Benchmark]
public KeyValidity CheckKeyValidity() => Service.CheckKeyValidityAsync(AnchorId, KeyId, SignedAt).Result;
[Benchmark]
public IReadOnlyList<Warning> GetRotationWarnings() => Service.GetRotationWarningsAsync(AnchorId).Result;
}
```
**Target Metrics:**
- PURL pattern matching: < 100μs per lookup
- Key validity check: < 500μs (cached)
- Rotation warnings: < 2ms (10 active keys)
## Baseline Results
### Development Machine Baseline
| Benchmark | Mean | StdDev | Allocated |
|-----------|------|--------|-----------|
| GenerateEvidenceId_Small | 15.2 μs | 0.3 μs | 384 B |
| GenerateEvidenceId_Medium | 28.7 μs | 0.5 μs | 512 B |
| GenerateEvidenceId_Large | 156.3 μs | 2.1 μs | 1,024 B |
| AssembleSpine (5 items) | 2.3 ms | 0.1 ms | 48 KB |
| MerkleTree (100 leaves) | 0.4 ms | 0.02 ms | 8 KB |
| VerifyDsse | 3.8 ms | 0.2 ms | 12 KB |
| VerifyIdRecomputation | 1.2 ms | 0.05 ms | 4 KB |
| FullVerification | 32.5 ms | 1.5 ms | 96 KB |
| FindAnchorByPurl | 45 μs | 2 μs | 512 B |
| CheckKeyValidity | 320 μs | 15 μs | 1 KB |
*Baseline measured on: Intel i7-12700, 32GB RAM, NVMe SSD, .NET 10.0-preview.7*
## Regression Detection
Benchmarks are run as part of CI with regression detection:
```yaml
# .gitea/workflows/benchmark.yaml
name: Benchmark
on:
pull_request:
paths:
- 'src/Attestor/**'
- 'src/Signer/**'
jobs:
benchmark:
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
- name: Run benchmarks
run: |
cd bench/proof-chain
dotnet run -c Release -- --exporters json
- name: Compare with baseline
run: |
python3 tools/compare-benchmarks.py \
--baseline baselines/proof-chain.json \
--current BenchmarkDotNet.Artifacts/results/*.json \
--threshold 10
```
Regressions > 10% will fail the PR check.
## Adding New Benchmarks
1. Create benchmark class in `bench/proof-chain/Benchmarks/`
2. Follow naming convention: `{Feature}Benchmarks.cs`
3. Add `[MemoryDiagnoser]` attribute for allocation tracking
4. Include baseline expectations in XML comments
5. Update baseline after significant changes:
```bash
dotnet run -c Release -- --exporters json
cp BenchmarkDotNet.Artifacts/results/*.json baselines/
```
## Performance Guidelines
From advisory §14.1:
| Operation | P50 Target | P99 Target |
|-----------|------------|------------|
| Proof Bundle creation | 50ms | 200ms |
| Proof Bundle verification | 100ms | 500ms |
| SBOM verification (complete) | 500ms | 2s |
| Key validity check | 1ms | 5ms |
## Related Documentation
- [Proof and Evidence Chain Technical Reference](../../docs/product-advisories/14-Dec-2025%20-%20Proof%20and%20Evidence%20Chain%20Technical%20Reference.md)
- [Attestor Architecture](../../docs/modules/attestor/architecture.md)
- [Performance Workbook](../../docs/12_PERFORMANCE_WORKBOOK.md)

21
bench/proof-chain/StellaOps.Bench.ProofChain.csproj Normal file
View File

@@ -0,0 +1,21 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="BenchmarkDotNet" Version="0.14.0" />
<PackageReference Include="BenchmarkDotNet.Diagnostics.Windows" Version="0.14.0" Condition="'$(OS)' == 'Windows_NT'" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\src\Attestor\__Libraries\StellaOps.Attestor.ProofChain\StellaOps.Attestor.ProofChain.csproj" />
<ProjectReference Include="..\..\src\Signer\__Libraries\StellaOps.Signer.KeyManagement\StellaOps.Signer.KeyManagement.csproj" />
</ItemGroup>
</Project>

143
datasets/reachability/corpus.json Normal file
View File

@@ -0,0 +1,143 @@
{
"$schema": "https://stellaops.io/schemas/corpus-index.v1.json",
"version": "1.0.0",
"description": "Ground-truth corpus for binary reachability benchmarking",
"createdAt": "2025-12-17T00:00:00Z",
"samples": [
{
"sampleId": "gt-0001",
"category": "basic",
"path": "ground-truth/basic/gt-0001/sample.manifest.json",
"description": "Direct call to vulnerable sink from main"
},
{
"sampleId": "gt-0002",
"category": "basic",
"path": "ground-truth/basic/gt-0002/sample.manifest.json",
"description": "Two-hop call chain to vulnerable sink"
},
{
"sampleId": "gt-0003",
"category": "basic",
"path": "ground-truth/basic/gt-0003/sample.manifest.json",
"description": "Three-hop call chain with multiple sinks"
},
{
"sampleId": "gt-0004",
"category": "basic",
"path": "ground-truth/basic/gt-0004/sample.manifest.json",
"description": "Function pointer call to sink"
},
{
"sampleId": "gt-0005",
"category": "basic",
"path": "ground-truth/basic/gt-0005/sample.manifest.json",
"description": "Recursive function with sink"
},
{
"sampleId": "gt-0006",
"category": "indirect",
"path": "ground-truth/indirect/gt-0006/sample.manifest.json",
"description": "Indirect call via callback"
},
{
"sampleId": "gt-0007",
"category": "indirect",
"path": "ground-truth/indirect/gt-0007/sample.manifest.json",
"description": "Virtual function dispatch"
},
{
"sampleId": "gt-0008",
"category": "guarded",
"path": "ground-truth/guarded/gt-0008/sample.manifest.json",
"description": "Sink behind constant false guard"
},
{
"sampleId": "gt-0009",
"category": "guarded",
"path": "ground-truth/guarded/gt-0009/sample.manifest.json",
"description": "Sink behind input-dependent guard"
},
{
"sampleId": "gt-0010",
"category": "guarded",
"path": "ground-truth/guarded/gt-0010/sample.manifest.json",
"description": "Sink behind environment variable guard"
},
{
"sampleId": "gt-0011",
"category": "basic",
"path": "ground-truth/basic/gt-0011/sample.manifest.json",
"description": "Unreachable sink - dead code after return"
},
{
"sampleId": "gt-0012",
"category": "basic",
"path": "ground-truth/basic/gt-0012/sample.manifest.json",
"description": "Unreachable sink - never called function"
},
{
"sampleId": "gt-0013",
"category": "basic",
"path": "ground-truth/basic/gt-0013/sample.manifest.json",
"description": "Unreachable sink - #ifdef disabled"
},
{
"sampleId": "gt-0014",
"category": "guarded",
"path": "ground-truth/guarded/gt-0014/sample.manifest.json",
"description": "Unreachable sink - constant true early return"
},
{
"sampleId": "gt-0015",
"category": "guarded",
"path": "ground-truth/guarded/gt-0015/sample.manifest.json",
"description": "Unreachable sink - impossible branch condition"
},
{
"sampleId": "gt-0016",
"category": "stripped",
"path": "ground-truth/stripped/gt-0016/sample.manifest.json",
"description": "Stripped binary - reachable sink"
},
{
"sampleId": "gt-0017",
"category": "stripped",
"path": "ground-truth/stripped/gt-0017/sample.manifest.json",
"description": "Stripped binary - unreachable sink"
},
{
"sampleId": "gt-0018",
"category": "obfuscated",
"path": "ground-truth/obfuscated/gt-0018/sample.manifest.json",
"description": "Control flow obfuscation - reachable"
},
{
"sampleId": "gt-0019",
"category": "obfuscated",
"path": "ground-truth/obfuscated/gt-0019/sample.manifest.json",
"description": "String obfuscation - reachable"
},
{
"sampleId": "gt-0020",
"category": "callback",
"path": "ground-truth/callback/gt-0020/sample.manifest.json",
"description": "Async callback chain - reachable"
}
],
"statistics": {
"totalSamples": 20,
"byCategory": {
"basic": 8,
"indirect": 2,
"guarded": 4,
"stripped": 2,
"obfuscated": 2,
"callback": 2
},
"byExpected": {
"reachable": 13,
"unreachable": 7
}
}
}

18
datasets/reachability/ground-truth/basic/gt-0001/main.c Normal file
View File

@@ -0,0 +1,18 @@
// gt-0001: Direct call to vulnerable sink from main
// Expected: REACHABLE (tier: executed)
// Vulnerability: CWE-120 (Buffer Copy without Checking Size)
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
char buffer[32];
if (argc > 1) {
// Vulnerable: strcpy without bounds checking
strcpy(buffer, argv[1]); // SINK: CWE-120
printf("Input: %s\n", buffer);
}
return 0;
}

29
datasets/reachability/ground-truth/basic/gt-0001/sample.manifest.json Normal file
View File

@@ -0,0 +1,29 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0001",
"version": "1.0.0",
"category": "basic",
"description": "Direct call to vulnerable sink from main - REACHABLE",
"language": "c",
"expectedResult": {
"reachable": true,
"tier": "executed",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "strcpy",
"vulnerability": "CWE-120"
},
"callChain": [
{"function": "main", "file": "main.c", "line": 5},
{"function": "strcpy", "file": "<libc>", "line": null}
],
"annotations": {
"notes": "Simplest reachable case - direct call from entrypoint to vulnerable function",
"difficulty": "trivial"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

22
datasets/reachability/ground-truth/basic/gt-0002/main.c Normal file
View File

@@ -0,0 +1,22 @@
// gt-0002: Two-hop call chain to vulnerable sink
// Expected: REACHABLE (tier: executed)
// Vulnerability: CWE-134 (Format String)
#include <stdio.h>
#include <string.h>
void format_message(const char *user_input, char *output) {
// Vulnerable: format string from user input
sprintf(output, user_input); // SINK: CWE-134
}
int main(int argc, char *argv[]) {
char buffer[256];
if (argc > 1) {
format_message(argv[1], buffer);
printf("Result: %s\n", buffer);
}
return 0;
}

30
datasets/reachability/ground-truth/basic/gt-0002/sample.manifest.json Normal file
View File

@@ -0,0 +1,30 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0002",
"version": "1.0.0",
"category": "basic",
"description": "Two-hop call chain to vulnerable sink - REACHABLE",
"language": "c",
"expectedResult": {
"reachable": true,
"tier": "executed",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "sprintf",
"vulnerability": "CWE-134"
},
"callChain": [
{"function": "main", "file": "main.c", "line": 15},
{"function": "format_message", "file": "main.c", "line": 7},
{"function": "sprintf", "file": "<libc>", "line": null}
],
"annotations": {
"notes": "Two-hop chain: main -> helper -> sink",
"difficulty": "easy"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

25
datasets/reachability/ground-truth/basic/gt-0003/main.c Normal file
View File

@@ -0,0 +1,25 @@
// gt-0003: Three-hop call chain with command injection
// Expected: REACHABLE (tier: executed)
// Vulnerability: CWE-78 (OS Command Injection)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void execute_command(const char *cmd) {
// Vulnerable: system call with user input
system(cmd); // SINK: CWE-78
}
void process_input(const char *input) {
char command[256];
snprintf(command, sizeof(command), "echo %s", input);
execute_command(command);
}
int main(int argc, char *argv[]) {
if (argc > 1) {
process_input(argv[1]);
}
return 0;
}

31
datasets/reachability/ground-truth/basic/gt-0003/sample.manifest.json Normal file
View File

@@ -0,0 +1,31 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0003",
"version": "1.0.0",
"category": "basic",
"description": "Three-hop call chain with multiple sinks - REACHABLE",
"language": "c",
"expectedResult": {
"reachable": true,
"tier": "executed",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "system",
"vulnerability": "CWE-78"
},
"callChain": [
{"function": "main", "file": "main.c", "line": 20},
{"function": "process_input", "file": "main.c", "line": 12},
{"function": "execute_command", "file": "main.c", "line": 6},
{"function": "system", "file": "<libc>", "line": null}
],
"annotations": {
"notes": "Three-hop chain demonstrating command injection path",
"difficulty": "easy"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

37
datasets/reachability/ground-truth/basic/gt-0004/main.c Normal file
View File

@@ -0,0 +1,37 @@
// gt-0004: Function pointer call to sink
// Expected: REACHABLE (tier: executed)
// Vulnerability: CWE-120 (Buffer Copy without Checking Size)
#include <stdio.h>
#include <string.h>
typedef void (*copy_func_t)(char *, const char *);
void copy_data(char *dest, const char *src) {
// Vulnerable: strcpy without bounds check
strcpy(dest, src); // SINK: CWE-120
}
void safe_copy(char *dest, const char *src) {
strncpy(dest, src, 31);
dest[31] = '\0';
}
int main(int argc, char *argv[]) {
char buffer[32];
copy_func_t copier;
// Function pointer assignment - harder for static analysis
if (argc > 2 && argv[2][0] == 's') {
copier = safe_copy;
} else {
copier = copy_data; // Vulnerable path selected
}
if (argc > 1) {
copier(buffer, argv[1]); // Indirect call
printf("Result: %s\n", buffer);
}
return 0;
}

31
datasets/reachability/ground-truth/basic/gt-0004/sample.manifest.json Normal file
View File

@@ -0,0 +1,31 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0004",
"version": "1.0.0",
"category": "basic",
"description": "Function pointer call to sink - REACHABLE",
"language": "c",
"expectedResult": {
"reachable": true,
"tier": "executed",
"confidence": 0.9
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "strcpy",
"vulnerability": "CWE-120"
},
"callChain": [
{"function": "main", "file": "main.c", "line": 18},
{"function": "<function_ptr>", "file": "main.c", "line": 19},
{"function": "copy_data", "file": "main.c", "line": 8},
{"function": "strcpy", "file": "<libc>", "line": null}
],
"annotations": {
"notes": "Indirect call via function pointer - harder for static analysis",
"difficulty": "medium"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

31
datasets/reachability/ground-truth/basic/gt-0005/main.c Normal file
View File

@@ -0,0 +1,31 @@
// gt-0005: Recursive function with sink
// Expected: REACHABLE (tier: executed)
// Vulnerability: CWE-134 (Format String)
#include <stdio.h>
#include <string.h>
char result[1024];
void process_recursive(const char *input, int depth) {
if (depth <= 0 || strlen(input) == 0) {
return;
}
// Vulnerable: format string in recursive context
sprintf(result + strlen(result), input); // SINK: CWE-134
// Recurse with modified input
process_recursive(input + 1, depth - 1);
}
int main(int argc, char *argv[]) {
result[0] = '\0';
if (argc > 1) {
process_recursive(argv[1], 5);
printf("Result: %s\n", result);
}
return 0;
}

31
datasets/reachability/ground-truth/basic/gt-0005/sample.manifest.json Normal file
View File

@@ -0,0 +1,31 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0005",
"version": "1.0.0",
"category": "basic",
"description": "Recursive function with sink - REACHABLE",
"language": "c",
"expectedResult": {
"reachable": true,
"tier": "executed",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "sprintf",
"vulnerability": "CWE-134"
},
"callChain": [
{"function": "main", "file": "main.c", "line": 22},
{"function": "process_recursive", "file": "main.c", "line": 14},
{"function": "process_recursive", "file": "main.c", "line": 14},
{"function": "sprintf", "file": "<libc>", "line": null}
],
"annotations": {
"notes": "Recursive call pattern - tests loop/recursion handling",
"difficulty": "medium"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

25
datasets/reachability/ground-truth/unreachable/gt-0011/main.c Normal file
View File

@@ -0,0 +1,25 @@
// gt-0011: Dead code - function never called
// Expected: UNREACHABLE (tier: imported)
// Vulnerability: CWE-120 (Buffer Copy without Checking Size)
#include <stdio.h>
#include <string.h>
// This function is NEVER called - dead code
void vulnerable_function(const char *input) {
char buffer[32];
strcpy(buffer, input); // SINK: CWE-120 (but unreachable)
printf("Value: %s\n", buffer);
}
void safe_function(const char *input) {
printf("Safe: %.31s\n", input);
}
int main(int argc, char *argv[]) {
if (argc > 1) {
// Only safe_function is called
safe_function(argv[1]);
}
return 0;
}

27
datasets/reachability/ground-truth/unreachable/gt-0011/sample.manifest.json Normal file
View File

@@ -0,0 +1,27 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0011",
"version": "1.0.0",
"category": "unreachable",
"description": "Dead code - function never called - UNREACHABLE",
"language": "c",
"expectedResult": {
"reachable": false,
"tier": "imported",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "strcpy",
"vulnerability": "CWE-120"
},
"callChain": null,
"annotations": {
"notes": "Vulnerable function exists but is never called from any reachable path",
"difficulty": "trivial",
"reason": "dead_code"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

28
datasets/reachability/ground-truth/unreachable/gt-0012/main.c Normal file
View File

@@ -0,0 +1,28 @@
// gt-0012: Compile-time constant false condition
// Expected: UNREACHABLE (tier: imported)
// Vulnerability: CWE-120 (Buffer Overflow)
#include <stdio.h>
#include <string.h>
#define DEBUG_MODE 0 // Compile-time constant
int main(int argc, char *argv[]) {
char buffer[64];
// This branch is constant false - will be optimized out
if (DEBUG_MODE) {
// Vulnerable code in dead branch
gets(buffer); // SINK: CWE-120 (but unreachable)
printf("Debug: %s\n", buffer);
} else {
// Safe path always taken
if (argc > 1) {
strncpy(buffer, argv[1], sizeof(buffer) - 1);
buffer[sizeof(buffer) - 1] = '\0';
printf("Input: %s\n", buffer);
}
}
return 0;
}

27
datasets/reachability/ground-truth/unreachable/gt-0012/sample.manifest.json Normal file
View File

@@ -0,0 +1,27 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0012",
"version": "1.0.0",
"category": "unreachable",
"description": "Compile-time constant false condition - UNREACHABLE",
"language": "c",
"expectedResult": {
"reachable": false,
"tier": "imported",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "gets",
"vulnerability": "CWE-120"
},
"callChain": null,
"annotations": {
"notes": "Sink is behind a constant false condition that will be optimized out",
"difficulty": "easy",
"reason": "constant_false"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

27
datasets/reachability/ground-truth/unreachable/gt-0013/main.c Normal file
View File

@@ -0,0 +1,27 @@
// gt-0013: Ifdef-excluded code path
// Expected: UNREACHABLE (tier: imported)
// Vulnerability: CWE-78 (OS Command Injection)
// Compile with: gcc -DPRODUCTION main.c (LEGACY_SHELL not defined)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define PRODUCTION
void process_command(const char *cmd) {
#ifdef LEGACY_SHELL
// This code is excluded when LEGACY_SHELL is not defined
system(cmd); // SINK: CWE-78 (but unreachable - ifdef excluded)
#else
// Safe path: just print, don't execute
printf("Would execute: %s\n", cmd);
#endif
}
int main(int argc, char *argv[]) {
if (argc > 1) {
process_command(argv[1]);
}
return 0;
}

27
datasets/reachability/ground-truth/unreachable/gt-0013/sample.manifest.json Normal file
View File

@@ -0,0 +1,27 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0013",
"version": "1.0.0",
"category": "unreachable",
"description": "Ifdef-excluded code path - UNREACHABLE",
"language": "c",
"expectedResult": {
"reachable": false,
"tier": "imported",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "system",
"vulnerability": "CWE-78"
},
"callChain": null,
"annotations": {
"notes": "Vulnerable code excluded by preprocessor directive",
"difficulty": "easy",
"reason": "preprocessor_excluded"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

121
datasets/reachability/schemas/corpus-sample.v1.json Normal file
View File

@@ -0,0 +1,121 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://stellaops.io/schemas/corpus-sample.v1.json",
"title": "CorpusSample",
"description": "Schema for ground-truth corpus samples used in reachability benchmarking",
"type": "object",
"required": ["sampleId", "name", "format", "arch", "sinks"],
"properties": {
"sampleId": {
"type": "string",
"pattern": "^gt-[0-9]{4}$",
"description": "Unique identifier for the sample (e.g., gt-0001)"
},
"name": {
"type": "string",
"description": "Human-readable name for the sample"
},
"description": {
"type": "string",
"description": "Detailed description of what this sample tests"
},
"category": {
"type": "string",
"enum": ["basic", "indirect", "stripped", "obfuscated", "guarded", "callback", "virtual"],
"description": "Sample category for organization"
},
"format": {
"type": "string",
"enum": ["elf64", "elf32", "pe64", "pe32", "macho64", "macho32"],
"description": "Binary format"
},
"arch": {
"type": "string",
"enum": ["x86_64", "x86", "aarch64", "arm32", "riscv64"],
"description": "Target architecture"
},
"language": {
"type": "string",
"enum": ["c", "cpp", "rust", "go"],
"description": "Source language (for reference)"
},
"compiler": {
"type": "object",
"properties": {
"name": { "type": "string" },
"version": { "type": "string" },
"flags": { "type": "array", "items": { "type": "string" } }
},
"description": "Compiler information used to build the sample"
},
"entryPoint": {
"type": "string",
"default": "main",
"description": "Entry point function name"
},
"sinks": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"required": ["sinkId", "signature", "expected"],
"properties": {
"sinkId": {
"type": "string",
"pattern": "^sink-[0-9]{3}$",
"description": "Unique sink identifier within the sample"
},
"signature": {
"type": "string",
"description": "Function signature of the sink"
},
"sinkType": {
"type": "string",
"enum": ["memory_corruption", "command_injection", "sql_injection", "path_traversal", "format_string", "crypto_weakness", "custom"],
"description": "Type of vulnerability represented by the sink"
},
"expected": {
"type": "string",
"enum": ["reachable", "unreachable", "conditional"],
"description": "Expected reachability determination"
},
"expectedPaths": {
"type": "array",
"items": {
"type": "array",
"items": { "type": "string" }
},
"description": "Expected call paths from entry to sink (for reachable sinks)"
},
"guardConditions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"variable": { "type": "string" },
"condition": { "type": "string" },
"value": { "type": "string" }
}
},
"description": "Guard conditions that protect the sink (for conditional sinks)"
},
"notes": {
"type": "string",
"description": "Additional notes about this sink"
}
}
},
"description": "List of sinks with expected reachability"
},
"metadata": {
"type": "object",
"properties": {
"createdAt": { "type": "string", "format": "date-time" },
"createdBy": { "type": "string" },
"version": { "type": "string" },
"sha256": { "type": "string", "pattern": "^[a-f0-9]{64}$" }
},
"description": "Metadata about the sample"
}
}
}

2
deploy/compose/README.md
View File

@@ -81,7 +81,7 @@ in the `.env` samples match the options bound by `AddSchedulerWorker`:
- `SCHEDULER_QUEUE_KIND` queue transport (`Nats` or `Redis`). - `SCHEDULER_QUEUE_KIND` queue transport (`Nats` or `Redis`).
- `SCHEDULER_QUEUE_NATS_URL` NATS connection string used by planner/runner consumers. - `SCHEDULER_QUEUE_NATS_URL` NATS connection string used by planner/runner consumers.
- `SCHEDULER_STORAGE_DATABASE` MongoDB database name for scheduler state. - `SCHEDULER_STORAGE_DATABASE` PostgreSQL database name for scheduler state.
- `SCHEDULER_SCANNER_BASEADDRESS` base URL the runner uses when invoking Scanners - `SCHEDULER_SCANNER_BASEADDRESS` base URL the runner uses when invoking Scanners
`/api/v1/reports` (defaults to the in-cluster `http://scanner-web:8444`). `/api/v1/reports` (defaults to the in-cluster `http://scanner-web:8444`).

7
deploy/compose/docker-compose.airgap.yaml
View File

@@ -216,6 +216,11 @@ services:
SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}" SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}" SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}" SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}"
SCANNER__OFFLINEKIT__REQUIREDSSE: "${SCANNER_OFFLINEKIT_REQUIREDSSE:-true}"
SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "${SCANNER_OFFLINEKIT_REKOROFFLINEMODE:-true}"
SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}"
SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}"
# Surface.Env configuration (see docs/modules/scanner/design/surface-env.md) # Surface.Env configuration (see docs/modules/scanner/design/surface-env.md)
SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://rustfs:8080}" SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://rustfs:8080}"
SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}" SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}"
@@ -232,6 +237,8 @@ services:
volumes: volumes:
- scanner-surface-cache:/var/lib/stellaops/surface - scanner-surface-cache:/var/lib/stellaops/surface
- ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro - ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro
- ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro
- ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro
ports: ports:
- "${SCANNER_WEB_PORT:-8444}:8444" - "${SCANNER_WEB_PORT:-8444}:8444"
networks: networks:

24
deploy/compose/docker-compose.dev.yaml
View File

@@ -197,14 +197,22 @@ services:
SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}" SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}" SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}"
SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}" SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}"
SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}" SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}"
SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}" SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}" SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}" SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
ports: SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}"
- "${SCANNER_WEB_PORT:-8444}:8444" SCANNER__OFFLINEKIT__REQUIREDSSE: "${SCANNER_OFFLINEKIT_REQUIREDSSE:-true}"
networks: SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "${SCANNER_OFFLINEKIT_REKOROFFLINEMODE:-true}"
- stellaops SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}"
SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}"
volumes:
- ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro
- ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro
ports:
- "${SCANNER_WEB_PORT:-8444}:8444"
networks:
- stellaops
labels: *release-labels labels: *release-labels
scanner-worker: scanner-worker:

26
deploy/compose/docker-compose.prod.yaml
View File

@@ -204,15 +204,23 @@ services:
SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}" SCANNER__QUEUE__BROKER: "${SCANNER_QUEUE_BROKER}"
SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-true}" SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-true}"
SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}" SCANNER__EVENTS__DRIVER: "${SCANNER_EVENTS_DRIVER:-redis}"
SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}" SCANNER__EVENTS__DSN: "${SCANNER_EVENTS_DSN:-}"
SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}" SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}" SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}" SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
ports: SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}"
- "${SCANNER_WEB_PORT:-8444}:8444" SCANNER__OFFLINEKIT__REQUIREDSSE: "${SCANNER_OFFLINEKIT_REQUIREDSSE:-true}"
networks: SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "${SCANNER_OFFLINEKIT_REKOROFFLINEMODE:-true}"
- stellaops SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}"
- frontdoor SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}"
volumes:
- ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro
- ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro
ports:
- "${SCANNER_WEB_PORT:-8444}:8444"
networks:
- stellaops
- frontdoor
labels: *release-labels labels: *release-labels
scanner-worker: scanner-worker:

16
deploy/compose/docker-compose.stage.yaml
View File

@@ -201,10 +201,18 @@ services:
SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}" SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}" SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}" SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
ports: SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}"
- "${SCANNER_WEB_PORT:-8444}:8444" SCANNER__OFFLINEKIT__REQUIREDSSE: "${SCANNER_OFFLINEKIT_REQUIREDSSE:-true}"
networks: SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "${SCANNER_OFFLINEKIT_REKOROFFLINEMODE:-true}"
- stellaops SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}"
SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}"
volumes:
- ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro
- ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro
ports:
- "${SCANNER_WEB_PORT:-8444}:8444"
networks:
- stellaops
labels: *release-labels labels: *release-labels
scanner-worker: scanner-worker:

2
deploy/compose/postgres-init/01-extensions.sql
View File

@@ -19,6 +19,7 @@ CREATE SCHEMA IF NOT EXISTS notify;
CREATE SCHEMA IF NOT EXISTS policy; CREATE SCHEMA IF NOT EXISTS policy;
CREATE SCHEMA IF NOT EXISTS concelier; CREATE SCHEMA IF NOT EXISTS concelier;
CREATE SCHEMA IF NOT EXISTS audit; CREATE SCHEMA IF NOT EXISTS audit;
CREATE SCHEMA IF NOT EXISTS unknowns;
-- Grant usage to application user (assumes POSTGRES_USER is the app user) -- Grant usage to application user (assumes POSTGRES_USER is the app user)
GRANT USAGE ON SCHEMA authority TO PUBLIC; GRANT USAGE ON SCHEMA authority TO PUBLIC;
@@ -29,3 +30,4 @@ GRANT USAGE ON SCHEMA notify TO PUBLIC;
GRANT USAGE ON SCHEMA policy TO PUBLIC; GRANT USAGE ON SCHEMA policy TO PUBLIC;
GRANT USAGE ON SCHEMA concelier TO PUBLIC; GRANT USAGE ON SCHEMA concelier TO PUBLIC;
GRANT USAGE ON SCHEMA audit TO PUBLIC; GRANT USAGE ON SCHEMA audit TO PUBLIC;
GRANT USAGE ON SCHEMA unknowns TO PUBLIC;

5
deploy/helm/stellaops/values-airgap.yaml
View File

@@ -156,6 +156,11 @@ services:
SCANNER__EVENTS__STREAM: "stella.events" SCANNER__EVENTS__STREAM: "stella.events"
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5" SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
SCANNER__EVENTS__MAXSTREAMLENGTH: "10000" SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
SCANNER__OFFLINEKIT__ENABLED: "false"
SCANNER__OFFLINEKIT__REQUIREDSSE: "true"
SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "true"
SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "/etc/stellaops/trust-roots"
SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "/var/lib/stellaops/rekor-snapshot"
SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1" SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface" SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
SCANNER_SURFACE_SECRETS_PROVIDER: "file" SCANNER_SURFACE_SECRETS_PROVIDER: "file"

5
deploy/helm/stellaops/values-dev.yaml
View File

@@ -121,6 +121,11 @@ services:
SCANNER__EVENTS__STREAM: "stella.events" SCANNER__EVENTS__STREAM: "stella.events"
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5" SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
SCANNER__EVENTS__MAXSTREAMLENGTH: "10000" SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
SCANNER__OFFLINEKIT__ENABLED: "false"
SCANNER__OFFLINEKIT__REQUIREDSSE: "true"
SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "true"
SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "/etc/stellaops/trust-roots"
SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "/var/lib/stellaops/rekor-snapshot"
SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1" SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface" SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
SCANNER_SURFACE_SECRETS_PROVIDER: "inline" SCANNER_SURFACE_SECRETS_PROVIDER: "inline"

5
deploy/helm/stellaops/values-prod.yaml
View File

@@ -180,6 +180,11 @@ services:
SCANNER__EVENTS__STREAM: "stella.events" SCANNER__EVENTS__STREAM: "stella.events"
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5" SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
SCANNER__EVENTS__MAXSTREAMLENGTH: "10000" SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
SCANNER__OFFLINEKIT__ENABLED: "false"
SCANNER__OFFLINEKIT__REQUIREDSSE: "true"
SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "true"
SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "/etc/stellaops/trust-roots"
SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "/var/lib/stellaops/rekor-snapshot"
SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1" SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface" SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
SCANNER_SURFACE_SECRETS_PROVIDER: "kubernetes" SCANNER_SURFACE_SECRETS_PROVIDER: "kubernetes"

5
deploy/helm/stellaops/values-stage.yaml
View File

@@ -121,6 +121,11 @@ services:
SCANNER__EVENTS__STREAM: "stella.events" SCANNER__EVENTS__STREAM: "stella.events"
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5" SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "5"
SCANNER__EVENTS__MAXSTREAMLENGTH: "10000" SCANNER__EVENTS__MAXSTREAMLENGTH: "10000"
SCANNER__OFFLINEKIT__ENABLED: "false"
SCANNER__OFFLINEKIT__REQUIREDSSE: "true"
SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "true"
SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "/etc/stellaops/trust-roots"
SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "/var/lib/stellaops/rekor-snapshot"
SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1" SCANNER_SURFACE_FS_ENDPOINT: "http://stellaops-rustfs:8080/api/v1"
SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface" SCANNER_SURFACE_CACHE_ROOT: "/var/lib/stellaops/surface"
SCANNER_SURFACE_SECRETS_PROVIDER: "kubernetes" SCANNER_SURFACE_SECRETS_PROVIDER: "kubernetes"

393
deploy/postgres-partitioning/001_partition_infrastructure.sql Normal file
View File

@@ -0,0 +1,393 @@
-- Partitioning Infrastructure Migration 001: Foundation
-- Sprint: SPRINT_3422_0001_0001 - Time-Based Partitioning
-- Category: C (infrastructure setup, requires planned maintenance)
--
-- Purpose: Create partition management infrastructure including:
-- - Helper functions for partition creation and maintenance
-- - Utility functions for BRIN index optimization
-- - Partition maintenance scheduling support
--
-- This migration creates the foundation; table conversion is done in separate migrations.
BEGIN;
-- ============================================================================
-- Step 1: Create partition management schema
-- ============================================================================
CREATE SCHEMA IF NOT EXISTS partition_mgmt;
COMMENT ON SCHEMA partition_mgmt IS
'Partition management utilities for time-series tables';
-- ============================================================================
-- Step 2: Partition creation function
-- ============================================================================
-- Creates a new partition for a given table and date range
CREATE OR REPLACE FUNCTION partition_mgmt.create_partition(
p_schema_name TEXT,
p_table_name TEXT,
p_partition_column TEXT,
p_start_date DATE,
p_end_date DATE,
p_partition_suffix TEXT DEFAULT NULL
)
RETURNS TEXT
LANGUAGE plpgsql
AS $$
DECLARE
v_partition_name TEXT;
v_parent_table TEXT;
v_sql TEXT;
BEGIN
v_parent_table := format('%I.%I', p_schema_name, p_table_name);
-- Generate partition name: tablename_YYYY_MM or tablename_YYYY_Q#
IF p_partition_suffix IS NOT NULL THEN
v_partition_name := format('%s_%s', p_table_name, p_partition_suffix);
ELSE
v_partition_name := format('%s_%s', p_table_name, to_char(p_start_date, 'YYYY_MM'));
END IF;
-- Check if partition already exists
IF EXISTS (
SELECT 1 FROM pg_class c
JOIN pg_namespace n ON c.relnamespace = n.oid
WHERE n.nspname = p_schema_name AND c.relname = v_partition_name
) THEN
RAISE NOTICE 'Partition % already exists, skipping', v_partition_name;
RETURN v_partition_name;
END IF;
-- Create partition
v_sql := format(
'CREATE TABLE %I.%I PARTITION OF %s FOR VALUES FROM (%L) TO (%L)',
p_schema_name,
v_partition_name,
v_parent_table,
p_start_date,
p_end_date
);
EXECUTE v_sql;
RAISE NOTICE 'Created partition %.%', p_schema_name, v_partition_name;
RETURN v_partition_name;
END;
$$;
-- ============================================================================
-- Step 3: Monthly partition creation helper
-- ============================================================================
CREATE OR REPLACE FUNCTION partition_mgmt.create_monthly_partitions(
p_schema_name TEXT,
p_table_name TEXT,
p_partition_column TEXT,
p_start_month DATE,
p_months_ahead INT DEFAULT 3
)
RETURNS SETOF TEXT
LANGUAGE plpgsql
AS $$
DECLARE
v_current_month DATE;
v_end_month DATE;
v_partition_name TEXT;
BEGIN
v_current_month := date_trunc('month', p_start_month)::DATE;
v_end_month := date_trunc('month', NOW() + (p_months_ahead || ' months')::INTERVAL)::DATE;
WHILE v_current_month <= v_end_month LOOP
v_partition_name := partition_mgmt.create_partition(
p_schema_name,
p_table_name,
p_partition_column,
v_current_month,
(v_current_month + INTERVAL '1 month')::DATE
);
RETURN NEXT v_partition_name;
v_current_month := (v_current_month + INTERVAL '1 month')::DATE;
END LOOP;
END;
$$;
-- ============================================================================
-- Step 4: Quarterly partition creation helper
-- ============================================================================
CREATE OR REPLACE FUNCTION partition_mgmt.create_quarterly_partitions(
p_schema_name TEXT,
p_table_name TEXT,
p_partition_column TEXT,
p_start_quarter DATE,
p_quarters_ahead INT DEFAULT 2
)
RETURNS SETOF TEXT
LANGUAGE plpgsql
AS $$
DECLARE
v_current_quarter DATE;
v_end_quarter DATE;
v_partition_name TEXT;
v_suffix TEXT;
BEGIN
v_current_quarter := date_trunc('quarter', p_start_quarter)::DATE;
v_end_quarter := date_trunc('quarter', NOW() + (p_quarters_ahead * 3 || ' months')::INTERVAL)::DATE;
WHILE v_current_quarter <= v_end_quarter LOOP
-- Generate suffix like 2025_Q1, 2025_Q2, etc.
v_suffix := to_char(v_current_quarter, 'YYYY') || '_Q' ||
EXTRACT(QUARTER FROM v_current_quarter)::TEXT;
v_partition_name := partition_mgmt.create_partition(
p_schema_name,
p_table_name,
p_partition_column,
v_current_quarter,
(v_current_quarter + INTERVAL '3 months')::DATE,
v_suffix
);
RETURN NEXT v_partition_name;
v_current_quarter := (v_current_quarter + INTERVAL '3 months')::DATE;
END LOOP;
END;
$$;
-- ============================================================================
-- Step 5: Partition detach and archive function
-- ============================================================================
CREATE OR REPLACE FUNCTION partition_mgmt.detach_partition(
p_schema_name TEXT,
p_table_name TEXT,
p_partition_name TEXT,
p_archive_schema TEXT DEFAULT 'archive'
)
RETURNS BOOLEAN
LANGUAGE plpgsql
AS $$
DECLARE
v_parent_table TEXT;
v_partition_full TEXT;
v_archive_table TEXT;
BEGIN
v_parent_table := format('%I.%I', p_schema_name, p_table_name);
v_partition_full := format('%I.%I', p_schema_name, p_partition_name);
v_archive_table := format('%I.%I', p_archive_schema, p_partition_name);
-- Create archive schema if not exists
EXECUTE format('CREATE SCHEMA IF NOT EXISTS %I', p_archive_schema);
-- Detach partition
EXECUTE format(
'ALTER TABLE %s DETACH PARTITION %s',
v_parent_table,
v_partition_full
);
-- Move to archive schema
EXECUTE format(
'ALTER TABLE %s SET SCHEMA %I',
v_partition_full,
p_archive_schema
);
RAISE NOTICE 'Detached and archived partition % to %', p_partition_name, v_archive_table;
RETURN TRUE;
EXCEPTION
WHEN OTHERS THEN
RAISE WARNING 'Failed to detach partition %: %', p_partition_name, SQLERRM;
RETURN FALSE;
END;
$$;
-- ============================================================================
-- Step 6: Partition retention cleanup function
-- ============================================================================
CREATE OR REPLACE FUNCTION partition_mgmt.cleanup_old_partitions(
p_schema_name TEXT,
p_table_name TEXT,
p_retention_months INT,
p_archive_schema TEXT DEFAULT 'archive',
p_dry_run BOOLEAN DEFAULT TRUE
)
RETURNS TABLE(partition_name TEXT, action TEXT)
LANGUAGE plpgsql
AS $$
DECLARE
v_cutoff_date DATE;
v_partition RECORD;
v_partition_end DATE;
BEGIN
v_cutoff_date := (NOW() - (p_retention_months || ' months')::INTERVAL)::DATE;
FOR v_partition IN
SELECT c.relname as name,
pg_get_expr(c.relpartbound, c.oid) as bound_expr
FROM pg_class c
JOIN pg_namespace n ON c.relnamespace = n.oid
JOIN pg_inherits i ON c.oid = i.inhrelid
JOIN pg_class parent ON i.inhparent = parent.oid
WHERE n.nspname = p_schema_name
AND parent.relname = p_table_name
AND c.relkind = 'r'
LOOP
-- Parse the partition bound to get end date
-- Format: FOR VALUES FROM ('2024-01-01') TO ('2024-02-01')
v_partition_end := (regexp_match(v_partition.bound_expr,
'TO \(''([^'']+)''\)'))[1]::DATE;
IF v_partition_end IS NOT NULL AND v_partition_end < v_cutoff_date THEN
partition_name := v_partition.name;
IF p_dry_run THEN
action := 'WOULD_ARCHIVE';
ELSE
IF partition_mgmt.detach_partition(
p_schema_name, p_table_name, v_partition.name, p_archive_schema
) THEN
action := 'ARCHIVED';
ELSE
action := 'FAILED';
END IF;
END IF;
RETURN NEXT;
END IF;
END LOOP;
END;
$$;
-- ============================================================================
-- Step 7: Partition statistics view
-- ============================================================================
CREATE OR REPLACE VIEW partition_mgmt.partition_stats AS
SELECT
n.nspname AS schema_name,
parent.relname AS table_name,
c.relname AS partition_name,
pg_get_expr(c.relpartbound, c.oid) AS partition_range,
pg_size_pretty(pg_relation_size(c.oid)) AS size,
pg_relation_size(c.oid) AS size_bytes,
COALESCE(s.n_live_tup, 0) AS estimated_rows,
s.last_vacuum,
s.last_autovacuum,
s.last_analyze,
s.last_autoanalyze
FROM pg_class c
JOIN pg_namespace n ON c.relnamespace = n.oid
JOIN pg_inherits i ON c.oid = i.inhrelid
JOIN pg_class parent ON i.inhparent = parent.oid
LEFT JOIN pg_stat_user_tables s ON c.oid = s.relid
WHERE c.relkind = 'r'
AND parent.relkind = 'p'
ORDER BY n.nspname, parent.relname, c.relname;
COMMENT ON VIEW partition_mgmt.partition_stats IS
'Statistics for all partitioned tables in the database';
-- ============================================================================
-- Step 8: BRIN index optimization helper
-- ============================================================================
CREATE OR REPLACE FUNCTION partition_mgmt.create_brin_index_if_not_exists(
p_schema_name TEXT,
p_table_name TEXT,
p_column_name TEXT,
p_pages_per_range INT DEFAULT 128
)
RETURNS BOOLEAN
LANGUAGE plpgsql
AS $$
DECLARE
v_index_name TEXT;
v_sql TEXT;
BEGIN
v_index_name := format('brin_%s_%s', p_table_name, p_column_name);
-- Check if index exists
IF EXISTS (
SELECT 1 FROM pg_indexes
WHERE schemaname = p_schema_name AND indexname = v_index_name
) THEN
RAISE NOTICE 'BRIN index % already exists', v_index_name;
RETURN FALSE;
END IF;
v_sql := format(
'CREATE INDEX %I ON %I.%I USING brin (%I) WITH (pages_per_range = %s)',
v_index_name,
p_schema_name,
p_table_name,
p_column_name,
p_pages_per_range
);
EXECUTE v_sql;
RAISE NOTICE 'Created BRIN index % on %.%(%)',
v_index_name, p_schema_name, p_table_name, p_column_name;
RETURN TRUE;
END;
$$;
-- ============================================================================
-- Step 9: Maintenance job tracking table
-- ============================================================================
CREATE TABLE IF NOT EXISTS partition_mgmt.maintenance_log (
id BIGSERIAL PRIMARY KEY,
operation TEXT NOT NULL,
schema_name TEXT NOT NULL,
table_name TEXT NOT NULL,
partition_name TEXT,
status TEXT NOT NULL DEFAULT 'started',
details JSONB NOT NULL DEFAULT '{}',
started_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
completed_at TIMESTAMPTZ,
error_message TEXT
);
CREATE INDEX idx_maintenance_log_table ON partition_mgmt.maintenance_log(schema_name, table_name);
CREATE INDEX idx_maintenance_log_status ON partition_mgmt.maintenance_log(status, started_at);
-- ============================================================================
-- Step 10: Archive schema for detached partitions
-- ============================================================================
CREATE SCHEMA IF NOT EXISTS archive;
COMMENT ON SCHEMA archive IS
'Storage for detached/archived partitions awaiting deletion or offload';
COMMIT;
-- ============================================================================
-- Usage Examples (commented out)
-- ============================================================================
/*
-- Create monthly partitions for audit table, 3 months ahead
SELECT partition_mgmt.create_monthly_partitions(
'scheduler', 'audit', 'created_at', '2024-01-01'::DATE, 3
);
-- Preview old partitions that would be archived (dry run)
SELECT * FROM partition_mgmt.cleanup_old_partitions(
'scheduler', 'audit', 12, 'archive', TRUE
);
-- Actually archive old partitions
SELECT * FROM partition_mgmt.cleanup_old_partitions(
'scheduler', 'audit', 12, 'archive', FALSE
);
-- View partition statistics
SELECT * FROM partition_mgmt.partition_stats
WHERE schema_name = 'scheduler'
ORDER BY table_name, partition_name;
*/

159
deploy/postgres-validation/001_validate_rls.sql Normal file
View File

@@ -0,0 +1,159 @@
-- RLS Validation Script
-- Sprint: SPRINT_3421_0001_0001 - RLS Expansion
--
-- Purpose: Verify that RLS is properly configured on all tenant-scoped tables
-- Run this script after deploying RLS migrations to validate configuration
-- ============================================================================
-- Part 1: List all tables with RLS status
-- ============================================================================
\echo '=== RLS Status for All Schemas ==='
SELECT
schemaname AS schema,
tablename AS table_name,
rowsecurity AS rls_enabled,
forcerowsecurity AS rls_forced,
CASE
WHEN rowsecurity AND forcerowsecurity THEN 'OK'
WHEN rowsecurity AND NOT forcerowsecurity THEN 'WARN: Not forced'
ELSE 'MISSING'
END AS status
FROM pg_tables
WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns')
ORDER BY schemaname, tablename;
-- ============================================================================
-- Part 2: List all RLS policies
-- ============================================================================
\echo ''
\echo '=== RLS Policies ==='
SELECT
schemaname AS schema,
tablename AS table_name,
policyname AS policy_name,
permissive,
roles,
cmd AS applies_to,
qual IS NOT NULL AS has_using,
with_check IS NOT NULL AS has_check
FROM pg_policies
WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns')
ORDER BY schemaname, tablename, policyname;
-- ============================================================================
-- Part 3: Tables missing RLS that should have it (have tenant_id column)
-- ============================================================================
\echo ''
\echo '=== Tables with tenant_id but NO RLS ==='
SELECT
c.table_schema AS schema,
c.table_name AS table_name,
'MISSING RLS' AS issue
FROM information_schema.columns c
JOIN pg_tables t ON c.table_schema = t.schemaname AND c.table_name = t.tablename
WHERE c.column_name IN ('tenant_id', 'tenant')
AND c.table_schema IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns')
AND NOT t.rowsecurity
ORDER BY c.table_schema, c.table_name;
-- ============================================================================
-- Part 4: Verify helper functions exist
-- ============================================================================
\echo ''
\echo '=== RLS Helper Functions ==='
SELECT
n.nspname AS schema,
p.proname AS function_name,
CASE
WHEN p.prosecdef THEN 'SECURITY DEFINER'
ELSE 'SECURITY INVOKER'
END AS security,
CASE
WHEN p.provolatile = 's' THEN 'STABLE'
WHEN p.provolatile = 'i' THEN 'IMMUTABLE'
ELSE 'VOLATILE'
END AS volatility
FROM pg_proc p
JOIN pg_namespace n ON p.pronamespace = n.oid
WHERE p.proname = 'require_current_tenant'
AND n.nspname LIKE '%_app'
ORDER BY n.nspname;
-- ============================================================================
-- Part 5: Test RLS enforcement (expect failure without tenant context)
-- ============================================================================
\echo ''
\echo '=== RLS Enforcement Test ==='
\echo 'Testing RLS on scheduler.runs (should fail without tenant context)...'
-- Reset tenant context
SELECT set_config('app.tenant_id', '', false);
DO $$
BEGIN
-- This should raise an exception if RLS is working
PERFORM * FROM scheduler.runs LIMIT 1;
RAISE NOTICE 'WARNING: Query succeeded without tenant context - RLS may not be working!';
EXCEPTION
WHEN OTHERS THEN
RAISE NOTICE 'OK: RLS blocked query without tenant context: %', SQLERRM;
END
$$;
-- ============================================================================
-- Part 6: Admin bypass role verification
-- ============================================================================
\echo ''
\echo '=== Admin Bypass Roles ==='
SELECT
rolname AS role_name,
rolbypassrls AS can_bypass_rls,
rolcanlogin AS can_login
FROM pg_roles
WHERE rolname LIKE '%_admin'
AND rolbypassrls = TRUE
ORDER BY rolname;
-- ============================================================================
-- Summary
-- ============================================================================
\echo ''
\echo '=== Summary ==='
SELECT
'Total Tables' AS metric,
COUNT(*)::TEXT AS value
FROM pg_tables
WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns')
UNION ALL
SELECT
'Tables with RLS Enabled',
COUNT(*)::TEXT
FROM pg_tables
WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns')
AND rowsecurity = TRUE
UNION ALL
SELECT
'Tables with RLS Forced',
COUNT(*)::TEXT
FROM pg_tables
WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns')
AND forcerowsecurity = TRUE
UNION ALL
SELECT
'Active Policies',
COUNT(*)::TEXT
FROM pg_policies
WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns');

238
deploy/postgres-validation/002_validate_partitions.sql Normal file
View File

@@ -0,0 +1,238 @@
-- Partition Validation Script
-- Sprint: SPRINT_3422_0001_0001 - Time-Based Partitioning
--
-- Purpose: Verify that partitioned tables are properly configured and healthy
-- ============================================================================
-- Part 1: List all partitioned tables
-- ============================================================================
\echo '=== Partitioned Tables ==='
SELECT
n.nspname AS schema,
c.relname AS table_name,
CASE pt.partstrat
WHEN 'r' THEN 'RANGE'
WHEN 'l' THEN 'LIST'
WHEN 'h' THEN 'HASH'
END AS partition_strategy,
array_to_string(array_agg(a.attname ORDER BY k.col), ', ') AS partition_key
FROM pg_class c
JOIN pg_namespace n ON c.relnamespace = n.oid
JOIN pg_partitioned_table pt ON c.oid = pt.partrelid
JOIN LATERAL unnest(pt.partattrs) WITH ORDINALITY AS k(col, idx) ON true
LEFT JOIN pg_attribute a ON a.attrelid = c.oid AND a.attnum = k.col
WHERE n.nspname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln')
GROUP BY n.nspname, c.relname, pt.partstrat
ORDER BY n.nspname, c.relname;
-- ============================================================================
-- Part 2: Partition inventory with sizes
-- ============================================================================
\echo ''
\echo '=== Partition Inventory ==='
SELECT
n.nspname AS schema,
parent.relname AS parent_table,
c.relname AS partition_name,
pg_get_expr(c.relpartbound, c.oid) AS bounds,
pg_size_pretty(pg_relation_size(c.oid)) AS size,
s.n_live_tup AS estimated_rows
FROM pg_class c
JOIN pg_namespace n ON c.relnamespace = n.oid
JOIN pg_inherits i ON c.oid = i.inhrelid
JOIN pg_class parent ON i.inhparent = parent.oid
LEFT JOIN pg_stat_user_tables s ON c.oid = s.relid
WHERE n.nspname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln')
AND c.relkind = 'r'
AND parent.relkind = 'p'
ORDER BY n.nspname, parent.relname, c.relname;
-- ============================================================================
-- Part 3: Check for missing future partitions
-- ============================================================================
\echo ''
\echo '=== Future Partition Coverage ==='
WITH partition_bounds AS (
SELECT
n.nspname AS schema_name,
parent.relname AS table_name,
c.relname AS partition_name,
-- Extract the TO date from partition bound
(regexp_match(pg_get_expr(c.relpartbound, c.oid), 'TO \(''([^'']+)''\)'))[1]::DATE AS end_date
FROM pg_class c
JOIN pg_namespace n ON c.relnamespace = n.oid
JOIN pg_inherits i ON c.oid = i.inhrelid
JOIN pg_class parent ON i.inhparent = parent.oid
WHERE c.relkind = 'r'
AND parent.relkind = 'p'
AND c.relname NOT LIKE '%_default'
),
max_bounds AS (
SELECT
schema_name,
table_name,
MAX(end_date) AS max_partition_date
FROM partition_bounds
WHERE end_date IS NOT NULL
GROUP BY schema_name, table_name
)
SELECT
schema_name,
table_name,
max_partition_date,
(max_partition_date - CURRENT_DATE) AS days_ahead,
CASE
WHEN (max_partition_date - CURRENT_DATE) < 30 THEN 'CRITICAL: Create partitions!'
WHEN (max_partition_date - CURRENT_DATE) < 60 THEN 'WARNING: Running low'
ELSE 'OK'
END AS status
FROM max_bounds
ORDER BY days_ahead;
-- ============================================================================
-- Part 4: Check for orphaned data in default partitions
-- ============================================================================
\echo ''
\echo '=== Default Partition Data (should be empty) ==='
DO $$
DECLARE
v_schema TEXT;
v_table TEXT;
v_count BIGINT;
v_sql TEXT;
BEGIN
FOR v_schema, v_table IN
SELECT n.nspname, c.relname
FROM pg_class c
JOIN pg_namespace n ON c.relnamespace = n.oid
WHERE c.relname LIKE '%_default'
AND n.nspname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln')
LOOP
v_sql := format('SELECT COUNT(*) FROM %I.%I', v_schema, v_table);
EXECUTE v_sql INTO v_count;
IF v_count > 0 THEN
RAISE NOTICE 'WARNING: %.% has % rows in default partition!',
v_schema, v_table, v_count;
ELSE
RAISE NOTICE 'OK: %.% is empty', v_schema, v_table;
END IF;
END LOOP;
END
$$;
-- ============================================================================
-- Part 5: Index health on partitions
-- ============================================================================
\echo ''
\echo '=== Partition Index Coverage ==='
SELECT
schemaname AS schema,
tablename AS table_name,
indexname AS index_name,
indexdef
FROM pg_indexes
WHERE schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln')
AND tablename LIKE '%_partitioned' OR tablename LIKE '%_202%'
ORDER BY schemaname, tablename, indexname;
-- ============================================================================
-- Part 6: BRIN index effectiveness check
-- ============================================================================
\echo ''
\echo '=== BRIN Index Statistics ==='
SELECT
schemaname AS schema,
tablename AS table_name,
indexrelname AS index_name,
idx_scan AS scans,
idx_tup_read AS tuples_read,
idx_tup_fetch AS tuples_fetched,
pg_size_pretty(pg_relation_size(indexrelid)) AS index_size
FROM pg_stat_user_indexes
WHERE indexrelname LIKE 'brin_%'
ORDER BY schemaname, tablename;
-- ============================================================================
-- Part 7: Partition maintenance recommendations
-- ============================================================================
\echo ''
\echo '=== Maintenance Recommendations ==='
WITH partition_ages AS (
SELECT
n.nspname AS schema_name,
parent.relname AS table_name,
c.relname AS partition_name,
(regexp_match(pg_get_expr(c.relpartbound, c.oid), 'FROM \(''([^'']+)''\)'))[1]::DATE AS start_date,
(regexp_match(pg_get_expr(c.relpartbound, c.oid), 'TO \(''([^'']+)''\)'))[1]::DATE AS end_date
FROM pg_class c
JOIN pg_namespace n ON c.relnamespace = n.oid
JOIN pg_inherits i ON c.oid = i.inhrelid
JOIN pg_class parent ON i.inhparent = parent.oid
WHERE c.relkind = 'r'
AND parent.relkind = 'p'
AND c.relname NOT LIKE '%_default'
)
SELECT
schema_name,
table_name,
partition_name,
start_date,
end_date,
(CURRENT_DATE - end_date) AS days_old,
CASE
WHEN (CURRENT_DATE - end_date) > 365 THEN 'Consider archiving (>1 year old)'
WHEN (CURRENT_DATE - end_date) > 180 THEN 'Review retention policy (>6 months old)'
ELSE 'Current'
END AS recommendation
FROM partition_ages
WHERE start_date IS NOT NULL
ORDER BY schema_name, table_name, start_date;
-- ============================================================================
-- Summary
-- ============================================================================
\echo ''
\echo '=== Summary ==='
SELECT
'Partitioned Tables' AS metric,
COUNT(DISTINCT parent.relname)::TEXT AS value
FROM pg_class c
JOIN pg_namespace n ON c.relnamespace = n.oid
JOIN pg_inherits i ON c.oid = i.inhrelid
JOIN pg_class parent ON i.inhparent = parent.oid
WHERE n.nspname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln')
AND parent.relkind = 'p'
UNION ALL
SELECT
'Total Partitions',
COUNT(*)::TEXT
FROM pg_class c
JOIN pg_namespace n ON c.relnamespace = n.oid
JOIN pg_inherits i ON c.oid = i.inhrelid
JOIN pg_class parent ON i.inhparent = parent.oid
WHERE n.nspname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln')
AND parent.relkind = 'p'
UNION ALL
SELECT
'BRIN Indexes',
COUNT(*)::TEXT
FROM pg_indexes
WHERE indexname LIKE 'brin_%'
AND schemaname IN ('scheduler', 'notify', 'authority', 'vex', 'policy', 'unknowns', 'vuln');

42
deploy/telemetry/alerts/scanner-fn-drift-alerts.yaml Normal file
View File

@@ -0,0 +1,42 @@
# Scanner FN-Drift Alert Rules
# SLO alerts for false-negative drift thresholds (30-day rolling window)
groups:
- name: scanner-fn-drift
interval: 30s
rules:
- alert: ScannerFnDriftWarning
expr: scanner_fn_drift_percent > 1.0
for: 5m
labels:
severity: warning
service: scanner
slo: fn-drift
annotations:
summary: "Scanner FN-Drift rate above warning threshold"
description: "FN-Drift is {{ $value | humanizePercentage }} (> 1.0%) over the 30-day rolling window."
runbook_url: "https://docs.stellaops.io/runbooks/scanner/fn-drift-warning"
- alert: ScannerFnDriftCritical
expr: scanner_fn_drift_percent > 2.5
for: 5m
labels:
severity: critical
service: scanner
slo: fn-drift
annotations:
summary: "Scanner FN-Drift rate above critical threshold"
description: "FN-Drift is {{ $value | humanizePercentage }} (> 2.5%) over the 30-day rolling window."
runbook_url: "https://docs.stellaops.io/runbooks/scanner/fn-drift-critical"
- alert: ScannerFnDriftEngineViolation
expr: scanner_fn_drift_cause_engine > 0
for: 1m
labels:
severity: page
service: scanner
slo: determinism
annotations:
summary: "Engine-caused FN drift detected (determinism violation)"
description: "Engine-caused FN drift count is {{ $value }} (> 0). This indicates non-feed, non-policy changes affecting outcomes."
runbook_url: "https://docs.stellaops.io/runbooks/scanner/fn-drift-engine-violation"

24
docs/04_FEATURE_MATRIX.md
View File

@@ -1,7 +1,7 @@
#4 · FeatureMatrix — **StellaOps** #4 · FeatureMatrix — **StellaOps**
*(rev2.0 · 14Jul2025)* *(rev2.0 · 14Jul2025)*
> **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail. > **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.
| Category | Capability | Free Tier (≤333 scans/day) | Community Plugin | Commercial AddOn | Notes / ETA | | Category | Capability | Free Tier (≤333 scans/day) | Community Plugin | Commercial AddOn | Notes / ETA |
| ---------------------- | ------------------------------------- | ----------------------------- | ----------------- | ------------------- | ------------------------------------------ | | ---------------------- | ------------------------------------- | ----------------------------- | ----------------- | ------------------- | ------------------------------------------ |
@@ -19,18 +19,18 @@
| | Usage API (`/quota`) | | | | CI can poll remaining scans | | | Usage API (`/quota`) | | | | CI can poll remaining scans |
| **User Interface** | Dark / light mode | | | | Autodetect OS theme | | **User Interface** | Dark / light mode | | | | Autodetect OS theme |
| | Additional locale (Cyrillic) | | | | Default if `AcceptLanguage: bg` or any other | | | Additional locale (Cyrillic) | | | | Default if `AcceptLanguage: bg` or any other |
| | Audit trail | | | | Mongo history | | | Audit trail | | | | PostgreSQL history |
| **Deployment** | Docker Compose bundle | | | | Singlenode | | **Deployment** | Docker Compose bundle | | | | Singlenode |
| | Helm chart (K8s) | | | | Horizontal scaling | | | Helm chart (K8s) | | | | Horizontal scaling |
| | Highavailability split services | | | (AddOn) | HA Redis & Mongo | | | Highavailability split services | | | (AddOn) | HA Redis & PostgreSQL |
| **Extensibility** | .NET hotload plugins | | N/A | | AGPL reference SDK | | **Extensibility** | .NET hotload plugins | | N/A | | AGPL reference SDK |
| | Community plugin marketplace | |  (βQ22026) | | Moderated listings | | | Community plugin marketplace | |  (βQ22026) | | Moderated listings |
| **Telemetry** | Optin anonymous metrics | | | | Required for quota satisfaction KPI | | **Telemetry** | Optin anonymous metrics | | | | Required for quota satisfaction KPI |
| **Quota & Tokens** | **ClientJWT issuance** | (online 12h token) | | | `/connect/token` | | **Quota & Tokens** | **ClientJWT issuance** | (online 12h token) | | | `/connect/token` |
| | **Offline ClientJWT (30d)** | via OUK | | | Refreshed monthly in OUK | | | **Offline ClientJWT (30d)** | via OUK | | | Refreshed monthly in OUK |
| **Reachability & Evidence** | Graph-level reachability DSSE |  (Q12026) | | | Mandatory attestation per graph; CAS+Rekor; see `docs/reachability/hybrid-attestation.md`. | | **Reachability & Evidence** | Graph-level reachability DSSE |  (Q12026) | | | Mandatory attestation per graph; CAS+Rekor; see `docs/reachability/hybrid-attestation.md`. |
| | Edge-bundle DSSE (selective) |  (Q22026) | | | Optional bundles for runtime/init/contested edges; Rekor publish capped. | | | Edge-bundle DSSE (selective) |  (Q22026) | | | Optional bundles for runtime/init/contested edges; Rekor publish capped. |
| | Cross-scanner determinism bench |  (Q12026) | | | CI bench from 23-Nov advisory; determinism rate + CVSS σ. | | | Cross-scanner determinism bench |  (Q12026) | | | CI bench from 23-Nov advisory; determinism rate + CVSS σ. |
> **Legend:** ✅ =Included=Planned=Not applicable > **Legend:** ✅ =Included=Planned=Not applicable
> Rows marked “Commercial AddOn” are optional paid components shipping outside the AGPLcore; everything else is FOSS. > Rows marked “Commercial AddOn” are optional paid components shipping outside the AGPLcore; everything else is FOSS.

12
docs/05_SYSTEM_REQUIREMENTS_SPEC.md
View File

@@ -11,18 +11,18 @@ StellaOps · selfhosted supplychainsecurity platform
## 1·Purpose & Scope ## 1·Purpose & Scope
This SRS defines everything the **v0.1.0alpha** release of _StellaOps_ must do, **including the Freetier daily quota of {{ quota_token }} SBOM scans per token**. This SRS defines everything the **v0.1.0alpha** release of _StellaOps_ must do, **including the Freetier daily quota of {{ quota_token }} SBOM scans per token**.
Scope includes core platform, CLI, UI, quota layer, and plugin host; commercial or closedsource extensions are explicitly outofscope. Scope includes core platform, CLI, UI, quota layer, and plugin host; commercial or closedsource extensions are explicitly outofscope.
--- ---
## 2·References ## 2·References
* [overview.md](overview.md)  market gap & problem statement * [overview.md](overview.md)  market gap & problem statement
* [03_VISION.md](03_VISION.md)  northstar, KPIs, quarterly themes * [03_VISION.md](03_VISION.md)  northstar, KPIs, quarterly themes
* [07_HIGH_LEVEL_ARCHITECTURE.md](07_HIGH_LEVEL_ARCHITECTURE.md)  context & data flow diagrams * [07_HIGH_LEVEL_ARCHITECTURE.md](07_HIGH_LEVEL_ARCHITECTURE.md)  context & data flow diagrams
* [modules/platform/architecture-overview.md](modules/platform/architecture-overview.md)  component APIs & plugin contracts * [modules/platform/architecture-overview.md](modules/platform/architecture-overview.md)  component APIs & plugin contracts
* [09_API_CLI_REFERENCE.md](09_API_CLI_REFERENCE.md)  REST & CLI surface * [09_API_CLI_REFERENCE.md](09_API_CLI_REFERENCE.md)  REST & CLI surface
--- ---
@@ -136,7 +136,7 @@ access.
| **NFRPERF1** | Performance | P95 cold scan ≤5s; warm ≤1s (see **FRDELTA3**). | | **NFRPERF1** | Performance | P95 cold scan ≤5s; warm ≤1s (see **FRDELTA3**). |
| **NFRPERF2** | Throughput | System shall sustain 60 concurrent scans on 8core node without queue depth >10. | | **NFRPERF2** | Throughput | System shall sustain 60 concurrent scans on 8core node without queue depth >10. |
| **NFRAVAIL1** | Availability | All services shall start offline; any Internet call must be optional. | | **NFRAVAIL1** | Availability | All services shall start offline; any Internet call must be optional. |
| **NFRSCAL1** | Scalability | Horizontal scaling via Kubernetes replicas for backend, Redis Sentinel, Mongo replica set. | | **NFR-SCAL-1** | Scalability | Horizontal scaling via Kubernetes replicas for backend, Redis Sentinel, PostgreSQL cluster. |
| **NFRSEC1** | Security | All interservice traffic shall use TLS or localhost sockets. | | **NFRSEC1** | Security | All interservice traffic shall use TLS or localhost sockets. |
| **NFRCOMP1** | Compatibility | Platform shall run on x8664 Linux kernel ≥5.10; Windows agents (TODO>6mo) must support Server 2019+. | | **NFRCOMP1** | Compatibility | Platform shall run on x8664 Linux kernel ≥5.10; Windows agents (TODO>6mo) must support Server 2019+. |
| **NFRI18N1** | Internationalisation | UI must support EN and at least one additional locale (Cyrillic). | | **NFRI18N1** | Internationalisation | UI must support EN and at least one additional locale (Cyrillic). |
@@ -179,7 +179,7 @@ Authorization: Bearer <token>
## 9 ·Assumptions & Constraints ## 9 ·Assumptions & Constraints
* Hardware reference: 8vCPU, 8GB RAM, NVMe SSD. * Hardware reference: 8vCPU, 8GB RAM, NVMe SSD.
* MongoDB and Redis run colocated unless horizontal scaling enabled. * PostgreSQL and Redis run co-located unless horizontal scaling enabled.
* All docker images tagged `latest` are immutable (CI process locks digests). * All docker images tagged `latest` are immutable (CI process locks digests).
* Rego evaluation runs in embedded OPA Golibrary (no external binary). * Rego evaluation runs in embedded OPA Golibrary (no external binary).

4
docs/07_HIGH_LEVEL_ARCHITECTURE.md
View File

@@ -36,8 +36,8 @@
| **Scanner.Worker** | `stellaops/scanner-worker` | Runs analyzers (OS, Lang: Java/Node/Python/Go/.NET/Rust, Native ELF/PE/MachO, EntryTrace); emits perlayer SBOMs and composes image SBOMs. | Horizontal; queuedriven; sharded by layer digest. | | **Scanner.Worker** | `stellaops/scanner-worker` | Runs analyzers (OS, Lang: Java/Node/Python/Go/.NET/Rust, Native ELF/PE/MachO, EntryTrace); emits perlayer SBOMs and composes image SBOMs. | Horizontal; queuedriven; sharded by layer digest. |
| **Scanner.Sbomer.BuildXPlugin** | `stellaops/sbom-indexer` | BuildKit **generator** for buildtime SBOMs as OCI **referrers**. | CIside; ephemeral. | | **Scanner.Sbomer.BuildXPlugin** | `stellaops/sbom-indexer` | BuildKit **generator** for buildtime SBOMs as OCI **referrers**. | CIside; ephemeral. |
| **Scanner.Sbomer.DockerImage** | `stellaops/scanner-cli` | CLIorchestrated scanner container for postbuild scans. | Local/CI; ephemeral. | | **Scanner.Sbomer.DockerImage** | `stellaops/scanner-cli` | CLIorchestrated scanner container for postbuild scans. | Local/CI; ephemeral. |
| **Concelier.WebService** | `stellaops/concelier-web` | Vulnerability ingest/normalize/merge/export (JSON + Trivy DB). | HA via Mongo locks. | | **Concelier.WebService** | `stellaops/concelier-web` | Vulnerability ingest/normalize/merge/export (JSON + Trivy DB). | HA via PostgreSQL locks. |
| **Excititor.WebService** | `stellaops/excititor-web` | VEX ingest/normalize/consensus; conflict retention; exports. | HA via Mongo locks. | | **Excititor.WebService** | `stellaops/excititor-web` | VEX ingest/normalize/consensus; conflict retention; exports. | HA via PostgreSQL locks. |
| **Policy Engine** | (in `scanner-web`) | YAML DSL evaluator (waivers, vendor preferences, KEV/EPSS, license, usagegating); produces **policy digest**. | Inprocess; cache per digest. | | **Policy Engine** | (in `scanner-web`) | YAML DSL evaluator (waivers, vendor preferences, KEV/EPSS, license, usagegating); produces **policy digest**. | Inprocess; cache per digest. |
| **Scheduler.WebService** | `stellaops/scheduler-web` | Schedules **reevaluation** runs; consumes Concelier/Excititor deltas; selects **impacted images** via BOMIndex; orchestrates analysisonly reports. | Stateless API. | | **Scheduler.WebService** | `stellaops/scheduler-web` | Schedules **reevaluation** runs; consumes Concelier/Excititor deltas; selects **impacted images** via BOMIndex; orchestrates analysisonly reports. | Stateless API. |
| **Scheduler.Worker** | `stellaops/scheduler-worker` | Executes selection and enqueues batches toward Scanner; enforces rate/limits and windows; maintains impact cursors. | Horizontal; queuedriven. | | **Scheduler.Worker** | `stellaops/scheduler-worker` | Executes selection and enqueues batches toward Scanner; enforces rate/limits and windows; maintains impact cursors. | Horizontal; queuedriven. |

4
docs/09_API_CLI_REFERENCE.md
View File

@@ -814,7 +814,7 @@ See `docs/dev/32_AUTH_CLIENT_GUIDE.md` for recommended profiles (online vs. air-
### Ruby dependency verbs (`stellaops-cli ruby …`) ### Ruby dependency verbs (`stellaops-cli ruby …`)
`ruby inspect` runs the same deterministic `RubyLanguageAnalyzer` bundled with Scanner.Worker against the local working tree—no backend calls—so operators can sanity-check Gemfile / Gemfile.lock pairs before shipping. The command now renders an observation banner (bundler version, package/runtime counts, capability flags, scheduler names) before the package table so air-gapped users can prove what evidence was collected. `ruby resolve` reuses the persisted `RubyPackageInventory` (stored under Mongo `ruby.packages` and exposed via `GET /api/scans/{scanId}/ruby-packages`) so operators can reason about groups/platforms/runtime usage after Scanner or Offline Kits finish processing; the CLI surfaces `scanId`, `imageDigest`, and `generatedAt` metadata in JSON mode for downstream scripting. `ruby inspect` runs the same deterministic `RubyLanguageAnalyzer` bundled with Scanner.Worker against the local working tree—no backend calls—so operators can sanity-check Gemfile / Gemfile.lock pairs before shipping. The command now renders an observation banner (bundler version, package/runtime counts, capability flags, scheduler names) before the package table so air-gapped users can prove what evidence was collected. `ruby resolve` reuses the persisted `RubyPackageInventory` (stored in the PostgreSQL `ruby_packages` table and exposed via `GET /api/scans/{scanId}/ruby-packages`) so operators can reason about groups/platforms/runtime usage after Scanner or Offline Kits finish processing; the CLI surfaces `scanId`, `imageDigest`, and `generatedAt` metadata in JSON mode for downstream scripting.
**`ruby inspect` flags** **`ruby inspect` flags**
@@ -898,6 +898,8 @@ Both commands honour CLI observability hooks: Spectre tables for human output, `
| `stellaops-cli graph explain` | Show reachability call path for a finding | `--finding <purl:cve>` (required)<br>`--scan-id <id>`<br>`--format table\|json` | Displays `latticeState`, call path with `symbol_id`/`code_id`, runtime hits, `graph_hash`, and DSSE attestation refs | | `stellaops-cli graph explain` | Show reachability call path for a finding | `--finding <purl:cve>` (required)<br>`--scan-id <id>`<br>`--format table\|json` | Displays `latticeState`, call path with `symbol_id`/`code_id`, runtime hits, `graph_hash`, and DSSE attestation refs |
| `stellaops-cli graph export` | Export reachability graph bundle | `--scan-id <id>` (required)<br>`--output <dir>`<br>`--include-runtime` | Creates `richgraph-v1.json`, `.dsse`, `meta.json`, and optional `runtime-facts.ndjson` | | `stellaops-cli graph export` | Export reachability graph bundle | `--scan-id <id>` (required)<br>`--output <dir>`<br>`--include-runtime` | Creates `richgraph-v1.json`, `.dsse`, `meta.json`, and optional `runtime-facts.ndjson` |
| `stellaops-cli graph verify` | Verify graph DSSE signature and Rekor entry | `--graph <path>` (required)<br>`--dsse <path>`<br>`--rekor-log` | Recomputes BLAKE3 hash, validates DSSE envelope, checks Rekor inclusion proof | | `stellaops-cli graph verify` | Verify graph DSSE signature and Rekor entry | `--graph <path>` (required)<br>`--dsse <path>`<br>`--rekor-log` | Recomputes BLAKE3 hash, validates DSSE envelope, checks Rekor inclusion proof |
| `stellaops-cli proof verify` | Verify an artifact's proof chain | `<artifact>` (required)<br>`--sbom <file>`<br>`--vex <file>`<br>`--anchor <uuid>`<br>`--offline`<br>`--output text\|json`<br>`-v/-vv` | Validates proof spine, Merkle inclusion, VEX statements, and Rekor entries. Returns exit code 0 (pass), 1 (policy violation), or 2 (system error). Designed for CI/CD integration. |
| `stellaops-cli proof spine` | Display proof spine for an artifact | `<artifact>` (required)<br>`--format table\|json`<br>`--show-merkle` | Shows assembled proof spine with evidence statements, VEX verdicts, and Merkle tree structure. |
| `stellaops-cli replay verify` | Verify replay manifest determinism | `--manifest <path>` (required)<br>`--sealed`<br>`--verbose` | Recomputes all artifact hashes and compares against manifest; exit 0 on match | | `stellaops-cli replay verify` | Verify replay manifest determinism | `--manifest <path>` (required)<br>`--sealed`<br>`--verbose` | Recomputes all artifact hashes and compares against manifest; exit 0 on match |
| `stellaops-cli runtime policy test` | Ask Scanner.WebService for runtime verdicts (Webhook parity) | `--image/-i <digest>` (repeatable, comma/space lists supported)<br>`--file/-f <path>`<br>`--namespace/--ns <name>`<br>`--label/-l key=value` (repeatable)<br>`--json` | Posts to `POST /api/v1/scanner/policy/runtime`, deduplicates image digests, and prints TTL/policy revision plus per-image columns for signed state, SBOM referrers, quieted-by metadata, confidence, Rekor attestation (uuid + verified flag), and recently observed build IDs (shortened for readability). Accepts newline/whitespace-delimited stdin when piped; `--json` emits the raw response without additional logging. | | `stellaops-cli runtime policy test` | Ask Scanner.WebService for runtime verdicts (Webhook parity) | `--image/-i <digest>` (repeatable, comma/space lists supported)<br>`--file/-f <path>`<br>`--namespace/--ns <name>`<br>`--label/-l key=value` (repeatable)<br>`--json` | Posts to `POST /api/v1/scanner/policy/runtime`, deduplicates image digests, and prints TTL/policy revision plus per-image columns for signed state, SBOM referrers, quieted-by metadata, confidence, Rekor attestation (uuid + verified flag), and recently observed build IDs (shortened for readability). Accepts newline/whitespace-delimited stdin when piped; `--json` emits the raw response without additional logging. |

16
docs/10_CONCELIER_CLI_QUICKSTART.md
View File

@@ -10,7 +10,7 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
## 0 · Prerequisites ## 0 · Prerequisites
- .NET SDK **10.0.100-preview** (matches `global.json`) - .NET SDK **10.0.100-preview** (matches `global.json`)
- MongoDB instance reachable from the host (local Docker or managed) - PostgreSQL instance reachable from the host (local Docker or managed)
- `trivy-db` binary on `PATH` for Trivy exports (and `oras` if publishing to OCI) - `trivy-db` binary on `PATH` for Trivy exports (and `oras` if publishing to OCI)
- Plugin assemblies present in `StellaOps.Concelier.PluginBinaries/` (already included in the repo) - Plugin assemblies present in `StellaOps.Concelier.PluginBinaries/` (already included in the repo)
- Optional: Docker/Podman runtime if you plan to run scanners locally - Optional: Docker/Podman runtime if you plan to run scanners locally
@@ -30,7 +30,7 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
cp etc/concelier.yaml.sample etc/concelier.yaml cp etc/concelier.yaml.sample etc/concelier.yaml
``` ```
2. Edit `etc/concelier.yaml` and update the MongoDB DSN (and optional database name). 2. Edit `etc/concelier.yaml` and update the PostgreSQL DSN (and optional database name).
The default template configures plug-in discovery to look in `StellaOps.Concelier.PluginBinaries/` The default template configures plug-in discovery to look in `StellaOps.Concelier.PluginBinaries/`
and disables remote telemetry exporters by default. and disables remote telemetry exporters by default.
@@ -38,7 +38,7 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
`CONCELIER_`. Example: `CONCELIER_`. Example:
```bash ```bash
export CONCELIER_STORAGE__DSN="mongodb://user:pass@mongo:27017/concelier" export CONCELIER_STORAGE__DSN="Host=localhost;Port=5432;Database=concelier;Username=user;Password=pass"
export CONCELIER_TELEMETRY__ENABLETRACING=false export CONCELIER_TELEMETRY__ENABLETRACING=false
``` ```
@@ -48,11 +48,11 @@ runtime wiring, CLI usage) and leaves connector/internal customization for later
dotnet run --project src/Concelier/StellaOps.Concelier.WebService dotnet run --project src/Concelier/StellaOps.Concelier.WebService
``` ```
On startup Concelier validates the options, boots MongoDB indexes, loads plug-ins, On startup Concelier validates the options, boots PostgreSQL indexes, loads plug-ins,
and exposes: and exposes:
- `GET /health` returns service status and telemetry settings - `GET /health` returns service status and telemetry settings
- `GET /ready` performs a MongoDB `ping` - `GET /ready` performs a PostgreSQL `ping`
- `GET /jobs` + `POST /jobs/{kind}` inspect and trigger connector/export jobs - `GET /jobs` + `POST /jobs/{kind}` inspect and trigger connector/export jobs
> **Security note** authentication now ships via StellaOps Authority. Keep > **Security note** authentication now ships via StellaOps Authority. Keep
@@ -263,8 +263,8 @@ a problem document.
triggering Concelier jobs. triggering Concelier jobs.
- Export artefacts are materialised under the configured output directories and - Export artefacts are materialised under the configured output directories and
their manifests record digests. their manifests record digests.
- MongoDB contains the expected `document`, `dto`, `advisory`, and `export_state` - PostgreSQL contains the expected `document`, `dto`, `advisory`, and `export_state`
collections after a run. tables after a run.
--- ---
@@ -273,7 +273,7 @@ a problem document.
- Treat `etc/concelier.yaml.sample` as the canonical template. CI/CD should copy it to - Treat `etc/concelier.yaml.sample` as the canonical template. CI/CD should copy it to
the deployment artifact and replace placeholders (DSN, telemetry endpoints, cron the deployment artifact and replace placeholders (DSN, telemetry endpoints, cron
overrides) with environment-specific secrets. overrides) with environment-specific secrets.
- Keep secret material (Mongo credentials, OTLP tokens) outside of the repository; - Keep secret material (PostgreSQL credentials, OTLP tokens) outside of the repository;
inject them via secret stores or pipeline variables at stamp time. inject them via secret stores or pipeline variables at stamp time.
- When building container images, include `trivy-db` (and `oras` if used) so air-gapped - When building container images, include `trivy-db` (and `oras` if used) so air-gapped
clusters do not need outbound downloads at runtime. clusters do not need outbound downloads at runtime.

305
docs/10_PLUGIN_SDK_GUIDE.md
View File

@@ -82,53 +82,53 @@ Add this to **`MyPlugin.Schedule.csproj`** so the signed DLL + `.sig` land in th
--- ---
##5DependencyInjection Entrypoint ##5DependencyInjection Entrypoint
Backend autodiscovers restarttime bindings through two mechanisms: Backend autodiscovers restarttime bindings through two mechanisms:
1. **Service binding metadata** for simple contracts. 1. **Service binding metadata** for simple contracts.
2. **`IDependencyInjectionRoutine`** implementations when you need full control. 2. **`IDependencyInjectionRoutine`** implementations when you need full control.
###5.1Service binding metadata ###5.1Service binding metadata
Annotate implementations with `[ServiceBinding]` to declare their lifetime and service contract. Annotate implementations with `[ServiceBinding]` to declare their lifetime and service contract.
The loader honours scoped lifetimes and will register the service before executing any custom DI routines. The loader honours scoped lifetimes and will register the service before executing any custom DI routines.
~~~csharp ~~~csharp
using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.DependencyInjection;
using StellaOps.DependencyInjection; using StellaOps.DependencyInjection;
[ServiceBinding(typeof(IJob), ServiceLifetime.Scoped, RegisterAsSelf = true)] [ServiceBinding(typeof(IJob), ServiceLifetime.Scoped, RegisterAsSelf = true)]
public sealed class MyJob : IJob public sealed class MyJob : IJob
{ {
// IJob dependencies can now use scoped services (Mongo sessions, etc.) // IJob dependencies can now use scoped services (PostgreSQL connections, etc.)
} }
~~~ ~~~
Use `RegisterAsSelf = true` when you also want to resolve the concrete type. Use `RegisterAsSelf = true` when you also want to resolve the concrete type.
Set `ReplaceExisting = true` to override default descriptors if the host already provides one. Set `ReplaceExisting = true` to override default descriptors if the host already provides one.
###5.2Dependency injection routines ###5.2Dependency injection routines
For advanced scenarios continue to expose a routine: For advanced scenarios continue to expose a routine:
~~~csharp ~~~csharp
namespace StellaOps.DependencyInjection; namespace StellaOps.DependencyInjection;
public sealed class IoCConfigurator : IDependencyInjectionRoutine public sealed class IoCConfigurator : IDependencyInjectionRoutine
{ {
public IServiceCollection Register(IServiceCollection services, IConfiguration cfg) public IServiceCollection Register(IServiceCollection services, IConfiguration cfg)
{ {
services.AddSingleton<IJob, MyJob>(); // schedule job services.AddSingleton<IJob, MyJob>(); // schedule job
services.Configure<MyPluginOptions>(cfg.GetSection("Plugins:MyPlugin")); services.Configure<MyPluginOptions>(cfg.GetSection("Plugins:MyPlugin"));
return services; return services;
} }
} }
~~~ ~~~
--- ---
##6Schedule Plugins ##6Schedule Plugins
###6.1 Minimal Job ###6.1 Minimal Job
@@ -216,4 +216,213 @@ On merge, the plugin shows up in the UI Marketplace.
| NotDetected | .sig missing | cosign sign | | NotDetected | .sig missing | cosign sign |
| VersionGateMismatch | Backend 2.1 vs plugin 2.0 | Recompile / bump attribute | | VersionGateMismatch | Backend 2.1 vs plugin 2.0 | Recompile / bump attribute |
| FileLoadException | Duplicate | StellaOps.Common Ensure PrivateAssets="all" | | FileLoadException | Duplicate | StellaOps.Common Ensure PrivateAssets="all" |
| Redis | timeouts Large writes | Batch or use Mongo | | Redis | timeouts Large writes | Batch or use PostgreSQL |
---
## 14 Plugin Version Compatibility (v2.0)
**IMPORTANT:** All plugins **must** declare a `[StellaPluginVersion]` attribute. Plugins without this attribute will be rejected by the host loader.
Declare your plugin's version and host compatibility requirements:
```csharp
using StellaOps.Plugin.Versioning;
// In AssemblyInfo.cs or any file at assembly level
[assembly: StellaPluginVersion("1.2.0", MinimumHostVersion = "1.0.0", MaximumHostVersion = "2.0.0")]
```
| Property | Purpose | Required |
|----------|---------|----------|
| `pluginVersion` (constructor) | Your plugin's semantic version | **Yes** |
| `MinimumHostVersion` | Lowest host version that can load this plugin | Recommended |
| `MaximumHostVersion` | Highest host version supported | Recommended for cross-major compatibility |
| `RequiresSignature` | Whether signature verification is mandatory (default: true) | No |
### Version Compatibility Rules
1. **Attribute Required:** Plugins without `[StellaPluginVersion]` are rejected
2. **Minimum Version:** Host version must be `MinimumHostVersion`
3. **Maximum Version:** Host version must be `MaximumHostVersion` (if specified)
4. **Strict Major Version:** If `MaximumHostVersion` is not specified, the plugin is assumed to only support the same major version as `MinimumHostVersion`
### Examples
```csharp
// Plugin works with host 1.0.0 through 2.x (explicit range)
[assembly: StellaPluginVersion("1.0.0", MinimumHostVersion = "1.0.0", MaximumHostVersion = "2.99.99")]
// Plugin works with host 2.x only (strict - no MaximumHostVersion means same major version)
[assembly: StellaPluginVersion("1.0.0", MinimumHostVersion = "2.0.0")]
// Plugin version 3.0.0 with no host constraints (uses plugin major version as reference)
[assembly: StellaPluginVersion("3.0.0")]
```
---
## 15 Plugin Host Configuration (v2.0)
Configure the plugin loader with security-first defaults in `PluginHostOptions`:
```csharp
var options = new PluginHostOptions
{
// Version enforcement (all default to true for security)
HostVersion = new Version(2, 0, 0),
EnforceVersionCompatibility = true, // Reject incompatible plugins
RequireVersionAttribute = true, // Reject plugins without [StellaPluginVersion]
StrictMajorVersionCheck = true, // Reject plugins crossing major version boundaries
// Signature verification (opt-in, requires infrastructure)
EnforceSignatureVerification = true,
SignatureVerifier = new CosignPluginVerifier(new CosignVerifierOptions
{
PublicKeyPath = "/keys/cosign.pub",
UseRekorTransparencyLog = true,
AllowUnsigned = false
})
};
var result = await PluginHost.LoadPluginsAsync(options, logger);
// Check for failures
if (result.HasFailures)
{
foreach (var failure in result.Failures)
{
logger.LogError("Plugin {Path} failed: {Reason} - {Message}",
failure.AssemblyPath, failure.Reason, failure.Message);
}
}
```
### Host Options Reference
| Option | Default | Purpose |
|--------|---------|---------|
| `HostVersion` | null | The host application version for compatibility checking |
| `EnforceVersionCompatibility` | **true** | Reject plugins that fail version checks |
| `RequireVersionAttribute` | **true** | Reject plugins without `[StellaPluginVersion]` |
| `StrictMajorVersionCheck` | **true** | Reject plugins that don't explicitly support the host's major version |
| `EnforceSignatureVerification` | false | Reject plugins without valid signatures |
| `SignatureVerifier` | null | The verifier implementation (e.g., `CosignPluginVerifier`) |
### Failure Reasons
| Reason | Description |
|--------|-------------|
| `LoadError` | Assembly could not be loaded (missing dependencies, corrupt file) |
| `SignatureInvalid` | Signature verification failed |
| `IncompatibleVersion` | Plugin version constraints not satisfied |
| `MissingVersionAttribute` | Plugin lacks required `[StellaPluginVersion]` attribute |
---
## 16 Fail-Fast Options Validation (v2.0)
Use the fail-fast validation pattern to catch configuration errors at startup:
```csharp
using StellaOps.DependencyInjection.Validation;
// Register options with automatic startup validation
services.AddOptionsWithValidation<MyPluginOptions, MyPluginOptionsValidator>(
MyPluginOptions.SectionName);
// Or with data annotations
services.AddOptionsWithDataAnnotations<MyPluginOptions>(
MyPluginOptions.SectionName);
```
Create validators using the base class:
```csharp
public sealed class MyPluginOptionsValidator : OptionsValidatorBase<MyPluginOptions>
{
protected override string SectionPrefix => "Plugins:MyPlugin";
protected override void ValidateOptions(MyPluginOptions options, ValidationContext context)
{
context
.RequireNotEmpty(options.BaseUrl, nameof(options.BaseUrl))
.RequirePositive(options.TimeoutSeconds, nameof(options.TimeoutSeconds))
.RequireInRange(options.MaxRetries, nameof(options.MaxRetries), 0, 10);
}
}
```
---
## 17 Available Templates (v2.0)
Install and use the official plugin templates:
```bash
# Install from local templates directory
dotnet new install ./templates
# Or install from NuGet
dotnet new install StellaOps.Templates
# Create a connector plugin
dotnet new stellaops-plugin-connector -n MyCompany.AcmeConnector
# Create a scheduled job plugin
dotnet new stellaops-plugin-scheduler -n MyCompany.CleanupJob
```
Templates include:
- Plugin entry point with version attribute
- Options class with data annotations
- Options validator with fail-fast pattern
- DI routine registration
- README with build/sign instructions
---
## 18 Migration Guide: v2.0 to v2.1
### Breaking Change: Version Attribute Required
As of v2.1, all plugins **must** include a `[StellaPluginVersion]` attribute. Plugins without this attribute will be rejected with `MissingVersionAttribute` failure.
**Before (v2.0):** Optional, plugins without attribute loaded with warning.
**After (v2.1):** Required, plugins without attribute are rejected.
### Migration Steps
1. Add the version attribute to your plugin's AssemblyInfo.cs:
```csharp
[assembly: StellaPluginVersion("1.0.0", MinimumHostVersion = "2.0.0", MaximumHostVersion = "2.99.99")]
```
2. If your plugin must support multiple major host versions, explicitly set `MaximumHostVersion`:
```csharp
// Supports host 1.x through 3.x
[assembly: StellaPluginVersion("1.0.0", MinimumHostVersion = "1.0.0", MaximumHostVersion = "3.99.99")]
```
3. Rebuild and re-sign your plugin.
### Opt-out (Not Recommended)
If you must load legacy plugins without version attributes:
```csharp
var options = new PluginHostOptions
{
RequireVersionAttribute = false, // Allow unversioned plugins (NOT recommended)
StrictMajorVersionCheck = false // Allow cross-major version loading
};
```
---
## Change Log
| Version | Date | Changes |
|---------|------|---------|
| v2.1 | 2025-12-14 | **Breaking:** `[StellaPluginVersion]` attribute now required by default. Added `RequireVersionAttribute`, `StrictMajorVersionCheck` options. Added `MissingVersionAttribute` failure reason. |
| v2.0 | 2025-12-14 | Added StellaPluginVersion attribute, Cosign verification options, fail-fast validation, new templates |
| v1.5 | 2025-07-11 | Template install, no hot-reload, IoC conventions |

20
docs/11_AUTHORITY.md
View File

@@ -6,7 +6,7 @@
The **StellaOps Authority** service issues OAuth2/OIDC tokens for every StellaOps module (Concelier, Backend, Agent, Zastava) and exposes the policy controls required in sovereign/offline environments. Authority is built as a minimal ASP.NET host that: The **StellaOps Authority** service issues OAuth2/OIDC tokens for every StellaOps module (Concelier, Backend, Agent, Zastava) and exposes the policy controls required in sovereign/offline environments. Authority is built as a minimal ASP.NET host that:
- brokers password, client-credentials, and device-code flows through pluggable identity providers; - brokers password, client-credentials, and device-code flows through pluggable identity providers;
- persists access/refresh/device tokens in MongoDB with deterministic schemas for replay analysis and air-gapped audit copies; - persists access/refresh/device tokens in PostgreSQL with deterministic schemas for replay analysis and air-gapped audit copies;
- distributes revocation bundles and JWKS material so downstream services can enforce lockouts without direct database access; - distributes revocation bundles and JWKS material so downstream services can enforce lockouts without direct database access;
- offers bootstrap APIs for first-run provisioning and key rotation without redeploying binaries. - offers bootstrap APIs for first-run provisioning and key rotation without redeploying binaries.
@@ -17,7 +17,7 @@ Authority is composed of five cooperating subsystems:
1. **Minimal API host** configures OpenIddict endpoints (`/token`, `/authorize`, `/revoke`, `/jwks`), publishes the OpenAPI contract at `/.well-known/openapi`, and enables structured logging/telemetry. Rate limiting hooks (`AuthorityRateLimiter`) wrap every request. 1. **Minimal API host** configures OpenIddict endpoints (`/token`, `/authorize`, `/revoke`, `/jwks`), publishes the OpenAPI contract at `/.well-known/openapi`, and enables structured logging/telemetry. Rate limiting hooks (`AuthorityRateLimiter`) wrap every request.
2. **Plugin host** loads `StellaOps.Authority.Plugin.*.dll` assemblies, applies capability metadata, and exposes password/client provisioning surfaces through dependency injection. 2. **Plugin host** loads `StellaOps.Authority.Plugin.*.dll` assemblies, applies capability metadata, and exposes password/client provisioning surfaces through dependency injection.
3. **Mongo storage** persists tokens, revocations, bootstrap invites, and plugin state in deterministic collections indexed for offline sync (`authority_tokens`, `authority_revocations`, etc.). 3. **PostgreSQL storage** persists tokens, revocations, bootstrap invites, and plugin state in deterministic tables indexed for offline sync (`authority_tokens`, `authority_revocations`, etc.).
4. **Cryptography layer** `StellaOps.Cryptography` abstractions manage password hashing, signing keys, JWKS export, and detached JWS generation. 4. **Cryptography layer** `StellaOps.Cryptography` abstractions manage password hashing, signing keys, JWKS export, and detached JWS generation.
5. **Offline ops APIs** internal endpoints under `/internal/*` provide administrative flows (bootstrap users/clients, revocation export) guarded by API keys and deterministic audit events. 5. **Offline ops APIs** internal endpoints under `/internal/*` provide administrative flows (bootstrap users/clients, revocation export) guarded by API keys and deterministic audit events.
@@ -27,14 +27,14 @@ A high-level sequence for password logins:
Client -> /token (password grant) Client -> /token (password grant)
-> Rate limiter & audit hooks -> Rate limiter & audit hooks
-> Plugin credential store (Argon2id verification) -> Plugin credential store (Argon2id verification)
-> Token persistence (Mongo authority_tokens) -> Token persistence (PostgreSQL authority_tokens)
-> Response (access/refresh tokens + deterministic claims) -> Response (access/refresh tokens + deterministic claims)
``` ```
## 3. Token Lifecycle & Persistence ## 3. Token Lifecycle & Persistence
Authority persists every issued token in MongoDB so operators can audit or revoke without scanning distributed caches. Authority persists every issued token in PostgreSQL so operators can audit or revoke without scanning distributed caches.
- **Collection:** `authority_tokens` - **Table:** `authority_tokens`
- **Key fields:** - **Key fields:**
- `tokenId`, `type` (`access_token`, `refresh_token`, `device_code`, `authorization_code`) - `tokenId`, `type` (`access_token`, `refresh_token`, `device_code`, `authorization_code`)
- `subjectId`, `clientId`, ordered `scope` array - `subjectId`, `clientId`, ordered `scope` array
@@ -173,7 +173,7 @@ Graph Explorer introduces dedicated scopes: `graph:write` for Cartographer build
#### Vuln Explorer scopes, ABAC, and permalinks #### Vuln Explorer scopes, ABAC, and permalinks
- **Scopes** `vuln:view` unlocks read-only access and permalink issuance, `vuln:investigate` allows triage actions (assignment, comments, remediation notes), `vuln:operate` unlocks state transitions and workflow execution, and `vuln:audit` exposes immutable ledgers/exports. The legacy `vuln:read` scope is still emitted for backward compatibility but new clients should request the granular scopes. - **Scopes** `vuln:view` unlocks read-only access and permalink issuance, `vuln:investigate` allows triage actions (assignment, comments, remediation notes), `vuln:operate` unlocks state transitions and workflow execution, and `vuln:audit` exposes immutable ledgers/exports. The legacy `vuln:read` scope is still emitted for backward compatibility but new clients should request the granular scopes.
- **ABAC attributes** Tenant roles can project attribute filters (`env`, `owner`, `business_tier`) via the `attributes` block in `authority.yaml` (see the sample `role/vuln-*` definitions). Authority now enforces the same filters on token issuance: client-credential requests must supply `vuln_env`, `vuln_owner`, and `vuln_business_tier` parameters when multiple values are configured, and the values must match the configured allow-list (or `*`). The accepted value pattern is `[a-z0-9:_-]{1,128}`. Issued tokens embed the resolved filters as `stellaops:vuln_env`, `stellaops:vuln_owner`, and `stellaops:vuln_business_tier` claims, and Authority persists the resulting actor chain plus service-account metadata in Mongo for auditability. - **ABAC attributes** Tenant roles can project attribute filters (`env`, `owner`, `business_tier`) via the `attributes` block in `authority.yaml` (see the sample `role/vuln-*` definitions). Authority now enforces the same filters on token issuance: client-credential requests must supply `vuln_env`, `vuln_owner`, and `vuln_business_tier` parameters when multiple values are configured, and the values must match the configured allow-list (or `*`). The accepted value pattern is `[a-z0-9:_-]{1,128}`. Issued tokens embed the resolved filters as `stellaops:vuln_env`, `stellaops:vuln_owner`, and `stellaops:vuln_business_tier` claims, and Authority persists the resulting actor chain plus service-account metadata in PostgreSQL for auditability.
- **Service accounts** Delegated Vuln Explorer identities (`svc-vuln-*`) should include the attribute filters in their seed definition. Authority enforces the supplied `attributes` during issuance and stores the selected values on the delegation token, making downstream revocation/audit exports aware of the effective ABAC envelope. - **Service accounts** Delegated Vuln Explorer identities (`svc-vuln-*`) should include the attribute filters in their seed definition. Authority enforces the supplied `attributes` during issuance and stores the selected values on the delegation token, making downstream revocation/audit exports aware of the effective ABAC envelope.
- **Attachment tokens** Evidence downloads require scoped tokens issued by Authority. `POST /vuln/attachments/tokens/issue` accepts ledger hashes plus optional metadata, signs the response with the primary Authority key, and records audit trails (`vuln.attachment.token.*`). `POST /vuln/attachments/tokens/verify` validates incoming tokens server-side. See “Attachment signing tokens” below. - **Attachment tokens** Evidence downloads require scoped tokens issued by Authority. `POST /vuln/attachments/tokens/issue` accepts ledger hashes plus optional metadata, signs the response with the primary Authority key, and records audit trails (`vuln.attachment.token.*`). `POST /vuln/attachments/tokens/verify` validates incoming tokens server-side. See “Attachment signing tokens” below.
- **Token request parameters** Minimum metadata for Vuln Explorer service accounts: - **Token request parameters** Minimum metadata for Vuln Explorer service accounts:
@@ -228,7 +228,7 @@ Authority centralises revocation in `authority_revocations` with deterministic c
| `client` | OAuth client registration revoked. | `revocationId` (= client id) | | `client` | OAuth client registration revoked. | `revocationId` (= client id) |
| `key` | Signing/JWE key withdrawn. | `revocationId` (= key id) | | `key` | Signing/JWE key withdrawn. | `revocationId` (= key id) |
`RevocationBundleBuilder` flattens Mongo documents into canonical JSON, sorts entries by (`category`, `revocationId`, `revokedAt`), and signs exports using detached JWS (RFC7797) with cosign-compatible headers. `RevocationBundleBuilder` flattens PostgreSQL records into canonical JSON, sorts entries by (`category`, `revocationId`, `revokedAt`), and signs exports using detached JWS (RFC 7797) with cosign-compatible headers.
**Export surfaces** (deterministic output, suitable for Offline Kit): **Export surfaces** (deterministic output, suitable for Offline Kit):
@@ -378,7 +378,7 @@ Audit events now include `airgap.sealed=<state>` where `<state>` is `failure:<co
| --- | --- | --- | --- | | --- | --- | --- | --- |
| Root | `issuer` | Absolute HTTPS issuer advertised to clients. | Required. Loopback HTTP allowed only for development. | | Root | `issuer` | Absolute HTTPS issuer advertised to clients. | Required. Loopback HTTP allowed only for development. |
| Tokens | `accessTokenLifetime`, `refreshTokenLifetime`, etc. | Lifetimes for each grant (access, refresh, device, authorization code, identity). | Enforced during issuance; persisted on each token document. | | Tokens | `accessTokenLifetime`, `refreshTokenLifetime`, etc. | Lifetimes for each grant (access, refresh, device, authorization code, identity). | Enforced during issuance; persisted on each token document. |
| Storage | `storage.connectionString` | MongoDB connection string. | Required even for tests; offline kits ship snapshots for seeding. | | Storage | `storage.connectionString` | PostgreSQL connection string. | Required even for tests; offline kits ship snapshots for seeding. |
| Signing | `signing.enabled` | Enable JWKS/revocation signing. | Disable only for development. | | Signing | `signing.enabled` | Enable JWKS/revocation signing. | Disable only for development. |
| Signing | `signing.algorithm` | Signing algorithm identifier. | Currently ES256; additional curves can be wired through crypto providers. | | Signing | `signing.algorithm` | Signing algorithm identifier. | Currently ES256; additional curves can be wired through crypto providers. |
| Signing | `signing.keySource` | Loader identifier (`file`, `vault`, custom). | Determines which `IAuthoritySigningKeySource` resolves keys. | | Signing | `signing.keySource` | Loader identifier (`file`, `vault`, custom). | Determines which `IAuthoritySigningKeySource` resolves keys. |
@@ -555,7 +555,7 @@ POST /internal/service-accounts/{accountId}/revocations
Requests must include the bootstrap API key header (`X-StellaOps-Bootstrap-Key`). Listing returns the seeded accounts with their configuration; the token listing call shows currently active delegation tokens (status, client, scopes, actor chain) and the revocation endpoint supports bulk or targeted token revocation with audit logging. Requests must include the bootstrap API key header (`X-StellaOps-Bootstrap-Key`). Listing returns the seeded accounts with their configuration; the token listing call shows currently active delegation tokens (status, client, scopes, actor chain) and the revocation endpoint supports bulk or targeted token revocation with audit logging.
Bootstrap seeding reuses the existing Mongo `_id`/`createdAt` values. When Authority restarts with updated configuration it upserts documents without mutating immutable fields, avoiding duplicate or conflicting service-account records. Bootstrap seeding reuses the existing PostgreSQL `id`/`created_at` values. When Authority restarts with updated configuration it upserts rows without mutating immutable fields, avoiding duplicate or conflicting service-account records.
**Requesting a delegated token** **Requesting a delegated token**
@@ -583,7 +583,7 @@ Optional `delegation_actor` metadata appends an identity to the actor chain:
Delegated tokens still honour scope validation, tenant enforcement, sender constraints (DPoP/mTLS), and fresh-auth checks. Delegated tokens still honour scope validation, tenant enforcement, sender constraints (DPoP/mTLS), and fresh-auth checks.
## 8. Offline & Sovereign Operation ## 8. Offline & Sovereign Operation
- **No outbound dependencies:** Authority only contacts MongoDB and local plugins. Discovery and JWKS are cached by clients with offline tolerances (`AllowOfflineCacheFallback`, `OfflineCacheTolerance`). Operators should mirror these responses for air-gapped use. - **No outbound dependencies:** Authority only contacts PostgreSQL and local plugins. Discovery and JWKS are cached by clients with offline tolerances (`AllowOfflineCacheFallback`, `OfflineCacheTolerance`). Operators should mirror these responses for air-gapped use.
- **Structured logging:** Every revocation export, signing rotation, bootstrap action, and token issuance emits structured logs with `traceId`, `client_id`, `subjectId`, and `network.remoteIp` where applicable. Mirror logs to your SIEM to retain audit trails without central connectivity. - **Structured logging:** Every revocation export, signing rotation, bootstrap action, and token issuance emits structured logs with `traceId`, `client_id`, `subjectId`, and `network.remoteIp` where applicable. Mirror logs to your SIEM to retain audit trails without central connectivity.
- **Determinism:** Sorting rules in token and revocation exports guarantee byte-for-byte identical artefacts given the same datastore state. Hashes and signatures remain stable across machines. - **Determinism:** Sorting rules in token and revocation exports guarantee byte-for-byte identical artefacts given the same datastore state. Hashes and signatures remain stable across machines.

36
docs/11_DATA_SCHEMAS.md
View File

@@ -1,7 +1,7 @@
#Data Schemas & Persistence Contracts # Data Schemas & Persistence Contracts
*Audience* backend developers, plugin authors, DB admins. *Audience* backend developers, plugin authors, DB admins.
*Scope* describes **Redis**, **MongoDB** (optional), and ondisk blob shapes that power StellaOps. *Scope* describes **Redis**, **PostgreSQL**, and ondisk blob shapes that power Stella Ops.
--- ---
@@ -63,7 +63,7 @@ Merging logic inside `scanning` module stitches new data onto the cached full SB
| `layers:&lt;digest&gt;` | set | 90d | Layers already possessing SBOMs (delta cache) | | `layers:&lt;digest&gt;` | set | 90d | Layers already possessing SBOMs (delta cache) |
| `policy:active` | string | ∞ | YAML **or** Rego ruleset | | `policy:active` | string | ∞ | YAML **or** Rego ruleset |
| `quota:&lt;token&gt;` | string | *until next UTC midnight* | Pertoken scan counter for Free tier ({{ quota_token }} scans). | | `quota:&lt;token&gt;` | string | *until next UTC midnight* | Pertoken scan counter for Free tier ({{ quota_token }} scans). |
| `policy:history` | list | ∞ | Change audit IDs (see Mongo) | | `policy:history` | list | ∞ | Change audit IDs (see PostgreSQL) |
| `feed:nvd:json` | string | 24h | Normalised feed snapshot | | `feed:nvd:json` | string | 24h | Normalised feed snapshot |
| `locator:&lt;imageDigest&gt;` | string | 30d | Maps image digest → sbomBlobId | | `locator:&lt;imageDigest&gt;` | string | 30d | Maps image digest → sbomBlobId |
| `metrics:…` | various | — | Prom / OTLP runtime metrics | | `metrics:…` | various | — | Prom / OTLP runtime metrics |
@@ -73,16 +73,16 @@ Merging logic inside `scanning` module stitches new data onto the cached full SB
--- ---
##3MongoDB Collections (Optional) ## 3 PostgreSQL Tables
Only enabled when `MONGO_URI` is supplied (for longterm audit). PostgreSQL is the canonical persistent store for long-term audit and history.
| Collection | Shape (summary) | Indexes | | Table | Shape (summary) | Indexes |
|--------------------|------------------------------------------------------------|-------------------------------------| |--------------------|------------------------------------------------------------|-------------------------------------|
| `sbom_history` | Wrapper JSON + `replaceTs` on overwrite | `{imageDigest}` `{created}` | | `sbom_history` | Wrapper JSON + `replace_ts` on overwrite | `(image_digest)` `(created)` |
| `policy_versions` | `{_id, yaml, rego, authorId, created}` | `{created}` | | `policy_versions` | `{id, yaml, rego, author_id, created}` | `(created)` |
| `attestations` ⭑ | SLSA provenance doc + Rekor log pointer | `{imageDigest}` | | `attestations` ⭑ | SLSA provenance doc + Rekor log pointer | `(image_digest)` |
| `audit_log` | Fully rendered RFC 5424 entries (UI & CLI actions) | `{userId}` `{ts}` | | `audit_log` | Fully rendered RFC 5424 entries (UI & CLI actions) | `(user_id)` `(ts)` |
Schema detail for **policy_versions**: Schema detail for **policy_versions**:
@@ -99,15 +99,15 @@ Samples live under `samples/api/scheduler/` (e.g., `schedule.json`, `run.json`,
} }
``` ```
###3.1Scheduler Sprints 16 Artifacts ### 3.1 Scheduler Sprints 16 Artifacts
**Collections.** `schedules`, `runs`, `impact_snapshots`, `audit` (modulelocal). All documents reuse the canonical JSON emitted by `StellaOps.Scheduler.Models` so agents and fixtures remain deterministic. **Tables.** `schedules`, `runs`, `impact_snapshots`, `audit` (module-local). All rows use the canonical JSON emitted by `StellaOps.Scheduler.Models` so agents and fixtures remain deterministic.
####3.1.1Schedule (`schedules`) #### 3.1.1 Schedule (`schedules`)
```jsonc ```jsonc
{ {
"_id": "sch_20251018a", "id": "sch_20251018a",
"tenantId": "tenant-alpha", "tenantId": "tenant-alpha",
"name": "Nightly Prod", "name": "Nightly Prod",
"enabled": true, "enabled": true,
@@ -468,7 +468,7 @@ Planned for Q12026 (kept here for early plugin authors).
* `actions[].throttle` serialises as ISO8601 duration (`PT5M`), mirroring worker backoff guardrails. * `actions[].throttle` serialises as ISO8601 duration (`PT5M`), mirroring worker backoff guardrails.
* `vex` gates let operators exclude accepted/notaffected justifications; omit the block to inherit default behaviour. * `vex` gates let operators exclude accepted/notaffected justifications; omit the block to inherit default behaviour.
* Use `StellaOps.Notify.Models.NotifySchemaMigration.UpgradeRule(JsonNode)` when deserialising legacy payloads that might lack `schemaVersion` or retain older revisions. * Use `StellaOps.Notify.Models.NotifySchemaMigration.UpgradeRule(JsonNode)` when deserialising legacy payloads that might lack `schemaVersion` or retain older revisions.
* Soft deletions persist `deletedAt` in Mongo (and disable the rule); repository queries automatically filter them. * Soft deletions persist `deletedAt` in PostgreSQL (and disable the rule); repository queries automatically filter them.
###6.2Channel highlights (`notify-channel@1`) ###6.2Channel highlights (`notify-channel@1`)
@@ -523,10 +523,10 @@ Integration tests can embed the sample fixtures to guarantee deterministic seria
##7Migration Notes ##7Migration Notes
1. **Add `format` column** to existing SBOM wrappers; default to `trivy-json-v2`. 1. **Add `format` column** to existing SBOM wrappers; default to `trivy-json-v2`.
2. **Populate `layers` & `partial`** via backfill script (ship with `stellopsctl migrate` wizard). 2. **Populate `layers` & `partial`** via backfill script (ship with `stellopsctl migrate` wizard).
3. Policy YAML previously stored in Redis → copy to Mongo if persistence enabled. 3. Policy YAML previously stored in Redis → copy to PostgreSQL if persistence enabled.
4. Prepare `attestations` collection (empty) safe to create in advance. 4. Prepare `attestations` table (empty) safe to create in advance.
--- ---

8
docs/14_GLOSSARY_OF_TERMS.md
View File

@@ -20,7 +20,7 @@ open a PR and append it alphabetically.*
| **ADR** | *Architecture Decision Record* lightweight Markdown file that captures one irreversible design decision. | ADR template lives at `/docs/adr/` | | **ADR** | *Architecture Decision Record* lightweight Markdown file that captures one irreversible design decision. | ADR template lives at `/docs/adr/` |
| **AIRE** | *AI Risk Evaluator* optional Plus/Pro plugin that suggests mute rules using an ONNX model. | Commercial feature | | **AIRE** | *AI Risk Evaluator* optional Plus/Pro plugin that suggests mute rules using an ONNX model. | Commercial feature |
| **AzurePipelines** | CI/CD service in Microsoft Azure DevOps. | Recipe in Pipeline Library | | **AzurePipelines** | CI/CD service in Microsoft Azure DevOps. | Recipe in Pipeline Library |
| **BDU** | Russian (FSTEC) national vulnerability database: *База данных уязвимостей*. | Merged with NVD by Concelier (vulnerability ingest/merge/export service) | | **BDU** | Russian (FSTEC) national vulnerability database: *База данных уязвимостей*. | Merged with NVD by Concelier (vulnerability ingest/merge/export service) |
| **BuildKit** | Modern Docker build engine with caching and concurrency. | Needed for layer cache patterns | | **BuildKit** | Modern Docker build engine with caching and concurrency. | Needed for layer cache patterns |
| **CI** | *Continuous Integration* automated build/test pipeline. | Stella integrates via CLI | | **CI** | *Continuous Integration* automated build/test pipeline. | Stella integrates via CLI |
| **Cosign** | Opensource Sigstore tool that signs & verifies container images **and files**. | Images & OUK tarballs | | **Cosign** | Opensource Sigstore tool that signs & verifies container images **and files**. | Images & OUK tarballs |
@@ -36,7 +36,7 @@ open a PR and append it alphabetically.*
| **Digest (image)** | SHA256 hash uniquely identifying a container image or layer. | Pin digests for reproducible builds | | **Digest (image)** | SHA256 hash uniquely identifying a container image or layer. | Pin digests for reproducible builds |
| **DockerinDocker (DinD)** | Running Docker daemon inside a CI container. | Used in GitHub / GitLab recipes | | **DockerinDocker (DinD)** | Running Docker daemon inside a CI container. | Used in GitHub / GitLab recipes |
| **DTO** | *Data Transfer Object* C# record serialised to JSON. | Schemas in doc 11 | | **DTO** | *Data Transfer Object* C# record serialised to JSON. | Schemas in doc 11 |
| **Concelier** | Vulnerability ingest/merge/export service consolidating OVN, GHSA, NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU feeds into the canonical MongoDB store and export artifacts. | Cron default `01* * *` | | **Concelier** | Vulnerability ingest/merge/export service consolidating OVN, GHSA, NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU feeds into the canonical PostgreSQL store and export artifacts. | Cron default `0 1 * * *` |
| **FSTEC** | Russian regulator issuing SOBIT certificates. | Pro GA target | | **FSTEC** | Russian regulator issuing SOBIT certificates. | Pro GA target |
| **Gitea** | Selfhosted Git service mirrors GitHub repo. | OSS hosting | | **Gitea** | Selfhosted Git service mirrors GitHub repo. | OSS hosting |
| **GOST TLS** | TLS ciphersuites defined by Russian GOST R 34.102012 / 34.112012. | Provided by `OpenSslGost` or CryptoPro | | **GOST TLS** | TLS ciphersuites defined by Russian GOST R 34.102012 / 34.112012. | Provided by `OpenSslGost` or CryptoPro |
@@ -53,7 +53,7 @@ open a PR and append it alphabetically.*
| **Hyperfine** | CLI microbenchmark tool used in Performance Workbook. | Outputs CSV | | **Hyperfine** | CLI microbenchmark tool used in Performance Workbook. | Outputs CSV |
| **JWT** | *JSON Web Token* bearer auth token issued by OpenIddict. | Scope `scanner`, `admin`, `ui` | | **JWT** | *JSON Web Token* bearer auth token issued by OpenIddict. | Scope `scanner`, `admin`, `ui` |
| **K3s / RKE2** | Lightweight Kubernetes distributions (Rancher). | Supported in K8s guide | | **K3s / RKE2** | Lightweight Kubernetes distributions (Rancher). | Supported in K8s guide |
| **Kubernetes NetworkPolicy** | K8s resource controlling pod traffic. | Redis/Mongo isolation | | **Kubernetes NetworkPolicy** | K8s resource controlling pod traffic. | Redis/PostgreSQL isolation |
--- ---
@@ -61,7 +61,7 @@ open a PR and append it alphabetically.*
| Term | Definition | Notes | | Term | Definition | Notes |
|------|------------|-------| |------|------------|-------|
| **Mongo (optional)** | Document DB storing >180day history and audit logs. | Off by default in Core | | **PostgreSQL** | Relational DB storing history and audit logs. | Required for production |
| **Mute rule** | JSON object that suppresses specific CVEs until expiry. | Schema `mute-rule1.json` | | **Mute rule** | JSON object that suppresses specific CVEs until expiry. | Schema `mute-rule1.json` |
| **NVD** | USbased *National Vulnerability Database*. | Primary CVE source | | **NVD** | USbased *National Vulnerability Database*. | Primary CVE source |
| **ONNX** | Portable neuralnetwork model format; used by AIRE. | Runs inprocess | | **ONNX** | Portable neuralnetwork model format; used by AIRE. | Runs inprocess |

4
docs/17_SECURITY_HARDENING_GUIDE.md
View File

@@ -87,7 +87,7 @@ networks:
driver: bridge driver: bridge
``` ```
No dedicated Redis or “Mongo” subnets are declared; the single bridge network suffices for the default stack. No dedicated "Redis" or "PostgreSQL" sub-nets are declared; the single bridge network suffices for the default stack.
### 3.2Kubernetes deployment highlights ### 3.2Kubernetes deployment highlights
@@ -101,7 +101,7 @@ Optionally add CosignVerified=true label enforced by an admission controller (e.
| Plane | Recommendation | | Plane | Recommendation |
| ------------------ | -------------------------------------------------------------------------- | | ------------------ | -------------------------------------------------------------------------- |
| Northsouth | Terminate TLS 1.2+ (OpenSSLGOST default). Use LetsEncrypt or internal CA. | | Northsouth | Terminate TLS 1.2+ (OpenSSLGOST default). Use LetsEncrypt or internal CA. |
| Eastwest | Compose bridge or K8s ClusterIP only; no public Redis/Mongo ports. | | East-west | Compose bridge or K8s ClusterIP only; no public Redis/PostgreSQL ports. |
| Ingress controller | Limit methods to GET, POST, PATCH (no TRACE). | | Ingress controller | Limit methods to GET, POST, PATCH (no TRACE). |
| Ratelimits | 40 rps default; tune ScannerPool.Workers and ingress limitreq to match. | | Ratelimits | 40 rps default; tune ScannerPool.Workers and ingress limitreq to match. |

11
docs/18_CODING_STANDARDS.md
View File

@@ -54,8 +54,8 @@ There are no folders named “Module” and no nested solutions.
| Namespaces | Filescoped, StellaOps.<Area> | namespace StellaOps.Scanners; | | Namespaces | Filescoped, StellaOps.<Area> | namespace StellaOps.Scanners; |
| Interfaces | I prefix, PascalCase | IScannerRunner | | Interfaces | I prefix, PascalCase | IScannerRunner |
| Classes / records | PascalCase | ScanRequest, TrivyRunner | | Classes / records | PascalCase | ScanRequest, TrivyRunner |
| Private fields | camelCase (no leading underscore) | redisCache, httpClient | | Private fields | _camelCase (with leading underscore) | _redisCache, _httpClient |
| Constants | SCREAMING_SNAKE_CASE | const int MAX_RETRIES = 3; | | Constants | PascalCase (standard C#) | const int MaxRetries = 3; |
| Async methods | End with Async | Task<ScanResult> ScanAsync() | | Async methods | End with Async | Task<ScanResult> ScanAsync() |
| File length | ≤100 lines incl. using & braces | enforced by dotnet format check | | File length | ≤100 lines incl. using & braces | enforced by dotnet format check |
| Using directives | Outside namespace, sorted, no wildcards | — | | Using directives | Outside namespace, sorted, no wildcards | — |
@@ -133,7 +133,7 @@ Capture structured logs with Serilogs messagetemplate syntax.
| Layer | Framework | Coverage gate | | Layer | Framework | Coverage gate |
| ------------------------ | ------------------------ | -------------------------- | | ------------------------ | ------------------------ | -------------------------- |
| Unit | xUnit + FluentAssertions | ≥80% line, ≥60% branch | | Unit | xUnit + FluentAssertions | ≥80% line, ≥60% branch |
| Integration | Testcontainers | Real Redis & Trivy | | Integration | Testcontainers | PostgreSQL, real services |
| Mutation (critical libs) | Stryker.NET | ≥60% score | | Mutation (critical libs) | Stryker.NET | ≥60% score |
One test project per runtime/contract project; naming <Project>.Tests. One test project per runtime/contract project; naming <Project>.Tests.
@@ -165,5 +165,6 @@ One test project per runtime/contract project; naming <Project>.Tests.
| Version | Date | Notes | | Version | Date | Notes |
| ------- | ---------- | -------------------------------------------------------------------------------------------------- | | ------- | ---------- | -------------------------------------------------------------------------------------------------- |
| v2.0 | 20250712 | Updated DI policy, 100line rule, new repo layout, camelCase fields, removed “Module” terminology. | | v2.1 | 2025-12-14 | Corrected field naming to _camelCase, constants to PascalCase, integration tests to PostgreSQL. |
| 1.0 | 20250709 | Original standards. | | v2.0 | 2025-07-12 | Updated DI policy, 100-line rule, new repo layout, removed "Module" terminology. |
| v1.0 | 2025-07-09 | Original standards. |

67
docs/19_TEST_SUITE_OVERVIEW.md
View File

@@ -16,7 +16,7 @@ contributors who need to extend coverage or diagnose failures.
| **1. Unit** | `xUnit` (<code>dotnet test</code>) | `*.Tests.csproj` | per PR / push | | **1. Unit** | `xUnit` (<code>dotnet test</code>) | `*.Tests.csproj` | per PR / push |
| **2. Propertybased** | `FsCheck` | `SbomPropertyTests` | per PR | | **2. Propertybased** | `FsCheck` | `SbomPropertyTests` | per PR |
| **3. Integration (API)** | `Testcontainers` suite | `test/Api.Integration` | per PR + nightly | | **3. Integration (API)** | `Testcontainers` suite | `test/Api.Integration` | per PR + nightly |
| **4. Integration (DB-merge)** | in-memory Mongo + Redis | `Concelier.Integration` (vulnerability ingest/merge/export service) | per PR | | **4. Integration (DB-merge)** | Testcontainers PostgreSQL + Redis | `Concelier.Integration` (vulnerability ingest/merge/export service) | per PR |
| **5. Contract (gRPC)** | `Buf breaking` | `buf.yaml` files | per PR | | **5. Contract (gRPC)** | `Buf breaking` | `buf.yaml` files | per PR |
| **6. Frontend unit** | `Jest` | `ui/src/**/*.spec.ts` | per PR | | **6. Frontend unit** | `Jest` | `ui/src/**/*.spec.ts` | per PR |
| **7. Frontend E2E** | `Playwright` | `ui/e2e/**` | nightly | | **7. Frontend E2E** | `Playwright` | `ui/e2e/**` | nightly |
@@ -52,67 +52,36 @@ contributors who need to extend coverage or diagnose failures.
./scripts/dev-test.sh --full ./scripts/dev-test.sh --full
```` ````
The script spins up MongoDB/Redis via Testcontainers and requires: The script spins up PostgreSQL/Redis via Testcontainers and requires:
* Docker ≥ 25 * Docker25
* Node20 (for Jest/Playwright) * Node 20 (for Jest/Playwright)
#### Mongo2Go / OpenSSL shim #### PostgreSQL Testcontainers
Multiple suites (Concelier connectors, Excititor worker/WebService, Scheduler) Multiple suites (Concelier connectors, Excititor worker/WebService, Scheduler)
fall back to [Mongo2Go](https://github.com/Mongo2Go/Mongo2Go) when a developer use Testcontainers with PostgreSQL for integration tests. If you don't have
does not have a local `mongod` listening on `127.0.0.1:27017`. **This is a Docker available, tests can also run against a local PostgreSQL instance
test-only dependency**: production/dev runtime MongoDB always runs inside the listening on `127.0.0.1:5432`.
compose/k8s network using the standard StellaOps cryptography stack. Modern
distros ship OpenSSL3 by default, so when Mongo2Go starts its embedded
`mongod` you **must** expose the legacy OpenSSL1.1 libraries that binary
expects:
1. From the repo root, export the provided binaries before running any tests: #### Local PostgreSQL helper
```bash
export LD_LIBRARY_PATH="$(pwd)/tests/native/openssl-1.1/linux-x64:${LD_LIBRARY_PATH:-}"
```
2. (Optional) If you only need the shim for a single command, prefix it:
```bash
LD_LIBRARY_PATH="$(pwd)/tests/native/openssl-1.1/linux-x64" \
dotnet test src/Concelier/StellaOps.Concelier.sln --nologo
```
3. CI runners or dev containers should either copy
`tests/native/openssl-1.1/linux-x64/libcrypto.so.1.1` and `libssl.so.1.1`
into a directory that is already on the default library path, or export the
`LD_LIBRARY_PATH` value shown above before invoking `dotnet test`.
The shim lives under `tests/native/openssl-1.1/README.md` with upstream source
and licensing details. When the system already has OpenSSL1.1 installed you
can skip this step.
#### Local Mongo helper
Some suites (Concelier WebService/Core, Exporter JSON) need a full Some suites (Concelier WebService/Core, Exporter JSON) need a full
`mongod` instance when you want to debug outside of Mongo2Go (for example to PostgreSQL instance when you want to debug or inspect data with `psql`.
inspect data with `mongosh` or pin a specific server version). A thin wrapper A helper script is available under `tools/postgres/local-postgres.sh`:
is available under `tools/mongodb/local-mongo.sh`:
```bash ```bash
# download (cached under .cache/mongodb-local) and start a local replica set # start a local PostgreSQL instance
tools/mongodb/local-mongo.sh start tools/postgres/local-postgres.sh start
# reuse an existing data set
tools/mongodb/local-mongo.sh restart
# stop / clean # stop / clean
tools/mongodb/local-mongo.sh stop tools/postgres/local-postgres.sh stop
tools/mongodb/local-mongo.sh clean tools/postgres/local-postgres.sh clean
``` ```
By default the script downloads MongoDB 6.0.16 for Ubuntu 22.04, binds to By default the script uses Docker to run PostgreSQL 16, binds to
`127.0.0.1:27017`, and initialises a single-node replica set called `rs0`. The `127.0.0.1:5432`, and creates a database called `stellaops`. The
current URI is printed on start, e.g. connection string is printed on start and you can export it before
`mongodb://127.0.0.1:27017/?replicaSet=rs0`, and you can export it before
running `dotnet test` if a suite supports overriding its connection string. running `dotnet test` if a suite supports overriding its connection string.
--- ---

2
docs/21_INSTALL_GUIDE.md
View File

@@ -62,7 +62,7 @@ cosign verify-blob \
cp .env.example .env cp .env.example .env
$EDITOR .env $EDITOR .env
# 5. Launch databases (MongoDB + Redis) # 5. Launch databases (PostgreSQL + Redis)
docker compose --env-file .env -f docker-compose.infrastructure.yml up -d docker compose --env-file .env -f docker-compose.infrastructure.yml up -d
# 6. Launch Stella Ops (first run pulls ~50MB merged vuln DB) # 6. Launch Stella Ops (first run pulls ~50MB merged vuln DB)

2
docs/23_FAQ_MATRIX.md
View File

@@ -34,7 +34,7 @@ Snapshot:
| **Core runtime** | C# 14 on **.NET {{ dotnet }}** | | **Core runtime** | C# 14 on **.NET {{ dotnet }}** |
| **UI stack** | **Angular {{ angular }}** + TailwindCSS | | **UI stack** | **Angular {{ angular }}** + TailwindCSS |
| **Container base** | Distroless glibc (x8664 & arm64) | | **Container base** | Distroless glibc (x8664 & arm64) |
| **Data stores** | MongoDB 7 (SBOM + findings), Redis 7 (LRU cache + quota) | | **Data stores** | PostgreSQL 7 (SBOM + findings), Redis 7 (LRU cache + quota) |
| **Release integrity** | Cosignsigned images & TGZ, reproducible build, SPDX 2.3 SBOM | | **Release integrity** | Cosignsigned images & TGZ, reproducible build, SPDX 2.3 SBOM |
| **Extensibility** | Plugins in any .NET language (restart load); OPA Rego policies | | **Extensibility** | Plugins in any .NET language (restart load); OPA Rego policies |
| **Default quotas** | Anonymous **{{ quota_anon }}scans/day** · JWT **{{ quota_token }}** | | **Default quotas** | Anonymous **{{ quota_anon }}scans/day** · JWT **{{ quota_token }}** |

4
docs/24_OFFLINE_KIT.md
View File

@@ -305,10 +305,10 @@ The Offline Kit carries the same helper scripts under `scripts/`:
1. **Duplicate audit:** run 1. **Duplicate audit:** run
```bash ```bash
mongo concelier ops/devops/scripts/check-advisory-raw-duplicates.js --eval 'var LIMIT=200;' psql -d concelier -f ops/devops/scripts/check-advisory-raw-duplicates.sql -v LIMIT=200
``` ```
to verify no `(vendor, upstream_id, content_hash, tenant)` conflicts remain before enabling the idempotency index. to verify no `(vendor, upstream_id, content_hash, tenant)` conflicts remain before enabling the idempotency index.
2. **Apply validators:** execute `mongo concelier ops/devops/scripts/apply-aoc-validators.js` (and the Excititor equivalent) with `validationLevel: "moderate"` in maintenance mode. 2. **Apply validators:** execute `psql -d concelier -f ops/devops/scripts/apply-aoc-validators.sql` (and the Excititor equivalent) with `validationLevel: "moderate"` in maintenance mode.
3. **Restart Concelier** so migrations `20251028_advisory_raw_idempotency_index` and `20251028_advisory_supersedes_backfill` run automatically. After the restart: 3. **Restart Concelier** so migrations `20251028_advisory_raw_idempotency_index` and `20251028_advisory_supersedes_backfill` run automatically. After the restart:
- Confirm `db.advisory` resolves to a view on `advisory_backup_20251028`. - Confirm `db.advisory` resolves to a view on `advisory_backup_20251028`.
- Spot-check a few `advisory_raw` entries to ensure `supersedes` chains are populated deterministically. - Spot-check a few `advisory_raw` entries to ensure `supersedes` chains are populated deterministically.

28
docs/40_ARCHITECTURE_OVERVIEW.md
View File

@@ -30,20 +30,20 @@ why the system leans *monolithplusplugins*, and where extension points
```mermaid ```mermaid
graph TD graph TD
A(API Gateway) A(API Gateway)
B1(Scanner Core<br/>.NET latest LTS) B1(Scanner Core<br/>.NET latest LTS)
B2(Concelier service\n(vuln ingest/merge/export)) B2(Concelier service\n(vuln ingest/merge/export))
B3(Policy Engine OPA) B3(Policy Engine OPA)
C1(Redis 7) C1(Redis 7)
C2(MongoDB 7) C2(PostgreSQL 16)
D(UI SPA<br/>Angular latest version) D(UI SPA<br/>Angular latest version)
A -->|gRPC| B1 A -->|gRPC| B1
B1 -->|async| B2 B1 -->|async| B2
B1 -->|OPA| B3 B1 -->|OPA| B3
B1 --> C1 B1 --> C1
B1 --> C2 B1 --> C2
A -->|REST/WS| D A -->|REST/WS| D
```` ```
--- ---
@@ -53,10 +53,10 @@ graph TD
| ---------------------------- | --------------------- | ---------------------------------------------------- | | ---------------------------- | --------------------- | ---------------------------------------------------- |
| **API Gateway** | ASP.NET Minimal API | Auth (JWT), quotas, request routing | | **API Gateway** | ASP.NET Minimal API | Auth (JWT), quotas, request routing |
| **Scanner Core** | C# 12, Polly | Layer diffing, SBOM generation, vuln correlation | | **Scanner Core** | C# 12, Polly | Layer diffing, SBOM generation, vuln correlation |
| **Concelier (vulnerability ingest/merge/export service)** | C# source-gen workers | Consolidate NVD + regional CVE feeds into the canonical MongoDB store and drive JSON / Trivy DB exports | | **Concelier (vulnerability ingest/merge/export service)** | C# source-gen workers | Consolidate NVD + regional CVE feeds into the canonical PostgreSQL store and drive JSON / Trivy DB exports |
| **Policy Engine** | OPA (Rego) | admission decisions, custom org rules | | **Policy Engine** | OPA (Rego) | admission decisions, custom org rules |
| **Redis 7** | KeyDB compatible | LRU cache, quota counters | | **Redis 7** | KeyDB compatible | LRU cache, quota counters |
| **MongoDB 7** | WiredTiger | SBOM & findings storage | | **PostgreSQL 16** | JSONB storage | SBOM & findings storage |
| **Angular {{ angular }} UI** | RxJS, Tailwind | Dashboard, reports, admin UX | | **Angular {{ angular }} UI** | RxJS, Tailwind | Dashboard, reports, admin UX |
--- ---
@@ -87,8 +87,8 @@ Hotplugging is deferred until after v1.0 for security review.
* If miss → pulls layers, generates SBOM. * If miss → pulls layers, generates SBOM.
* Executes plugins (mutators, additional scanners). * Executes plugins (mutators, additional scanners).
4. **Policy Engine** evaluates `scanResult` document. 4. **Policy Engine** evaluates `scanResult` document.
5. **Findings** stored in MongoDB; WebSocket event notifies UI. 5. **Findings** stored in PostgreSQL; WebSocket event notifies UI.
6. **ResultSink plugins** export to Slack, Splunk, JSON file, etc. 6. **ResultSink plugins** export to Slack, Splunk, JSON file, etc.
--- ---
@@ -121,7 +121,7 @@ Hotplugging is deferred until after v1.0 for security review.
Although the default deployment is a single container, each subservice can be Although the default deployment is a single container, each subservice can be
extracted: extracted:
* Concelier → standalone cron pod. * Concelier → standalone cron pod.
* Policy Engine → sidecar (OPA) with gRPC contract. * Policy Engine → sidecar (OPA) with gRPC contract.
* ResultSink → queue worker (RabbitMQ or Azure Service Bus). * ResultSink → queue worker (RabbitMQ or Azure Service Bus).

2
docs/advisories/aggregation.md
View File

@@ -187,7 +187,7 @@ mutate observation or linkset collections.
- **Unit tests** (`StellaOps.Concelier.Core.Tests`) validate schema guards, - **Unit tests** (`StellaOps.Concelier.Core.Tests`) validate schema guards,
deterministic linkset hashing, conflict detection fixtures, and supersedes deterministic linkset hashing, conflict detection fixtures, and supersedes
chains. chains.
- **Mongo integration tests** (`StellaOps.Concelier.Storage.Mongo.Tests`) verify - **PostgreSQL integration tests** (`StellaOps.Concelier.Storage.Postgres.Tests`) verify
indexes and idempotent writes under concurrency. indexes and idempotent writes under concurrency.
- **CLI smoke suites** confirm `stella advisories observations` and `stella - **CLI smoke suites** confirm `stella advisories observations` and `stella
advisories linksets` export stable JSON. advisories linksets` export stable JSON.

4
docs/advisory-ai/architecture.md
View File

@@ -27,7 +27,7 @@ Conseiller / Excititor / SBOM / Policy
v v
+----------------------------+ +----------------------------+
| Cache & Provenance | | Cache & Provenance |
| (Mongo + DSSE optional) | | (PostgreSQL + DSSE opt.) |
+----------------------------+ +----------------------------+
| \ | \
v v v v
@@ -48,7 +48,7 @@ Key stages:
| `AdvisoryPipelineOrchestrator` | Builds task plans, selects prompt templates, allocates token budgets. | Tenant-scoped; memoises by cache key. | | `AdvisoryPipelineOrchestrator` | Builds task plans, selects prompt templates, allocates token budgets. | Tenant-scoped; memoises by cache key. |
| `GuardrailService` | Applies redaction filters, prompt allowlists, validation schemas, and DSSE sealing. | Shares configuration with Security Guild. | | `GuardrailService` | Applies redaction filters, prompt allowlists, validation schemas, and DSSE sealing. | Shares configuration with Security Guild. |
| `ProfileRegistry` | Maps profile IDs to runtime implementations (local model, remote connector). | Enforces tenant consent and allowlists. | | `ProfileRegistry` | Maps profile IDs to runtime implementations (local model, remote connector). | Enforces tenant consent and allowlists. |
| `AdvisoryOutputStore` | Mongo collection storing cached artefacts plus provenance manifest. | TTL defaults 24h; DSSE metadata optional. | | `AdvisoryOutputStore` | PostgreSQL table storing cached artefacts plus provenance manifest. | TTL defaults 24h; DSSE metadata optional. |
| `AdvisoryPipelineWorker` | Background executor for queued jobs (future sprint once 004A wires queue). | Consumes `advisory.pipeline.execute` messages. | | `AdvisoryPipelineWorker` | Background executor for queued jobs (future sprint once 004A wires queue). | Consumes `advisory.pipeline.execute` messages. |
## 3. Data contracts ## 3. Data contracts

2
docs/advisory-ai/overview.md
View File

@@ -20,7 +20,7 @@ Advisory AI is the retrieval-augmented assistant that synthesises Conseiller (ad
| Retrievers | Fetch deterministic advisory/VEX/SBOM context, guardrail inputs, policy digests. | Conseiller, Excititor, SBOM Service, Policy Engine | | Retrievers | Fetch deterministic advisory/VEX/SBOM context, guardrail inputs, policy digests. | Conseiller, Excititor, SBOM Service, Policy Engine |
| Orchestrator | Builds `AdvisoryTaskPlan` objects (summary/conflict/remediation) with budgets and cache keys. | Deterministic toolset (AIAI-31-003), Authority scopes | | Orchestrator | Builds `AdvisoryTaskPlan` objects (summary/conflict/remediation) with budgets and cache keys. | Deterministic toolset (AIAI-31-003), Authority scopes |
| Guardrails | Enforce redaction, structured prompts, citation validation, injection defence, and DSSE sealing. | Security Guild guardrail library | | Guardrails | Enforce redaction, structured prompts, citation validation, injection defence, and DSSE sealing. | Security Guild guardrail library |
| Outputs | Persist cache entries (hash + context manifest), expose via API/CLI/Console, emit telemetry. | Mongo cache store, Export Center, Observability stack | | Outputs | Persist cache entries (hash + context manifest), expose via API/CLI/Console, emit telemetry. | PostgreSQL cache store, Export Center, Observability stack |
See `docs/modules/advisory-ai/architecture.md` for deep technical diagrams and sequence flows. See `docs/modules/advisory-ai/architecture.md` for deep technical diagrams and sequence flows.

339
docs/airgap/advisory-implementation-roadmap.md Normal file
View File

@@ -0,0 +1,339 @@
# Offline and Air-Gap Advisory Implementation Roadmap
**Source Advisory:** 14-Dec-2025 - Offline and Air-Gap Technical Reference
**Document Version:** 1.0
**Last Updated:** 2025-12-15
---
## Executive Summary
This document outlines the implementation roadmap for gaps identified between the 14-Dec-2025 Offline and Air-Gap Technical Reference advisory and the current StellaOps codebase. The implementation is organized into 5 sprints addressing security-critical, high-priority, and enhancement-level improvements.
---
## Implementation Overview
### Sprint Summary
| Sprint | Topic | Priority | Gaps | Effort | Dependencies |
|--------|-------|----------|------|--------|--------------|
| [0338](../implplan/SPRINT_0338_0001_0001_airgap_importer_core.md) | AirGap Importer Core | P0 | G6, G7 | Medium | None |
| [0339](../implplan/SPRINT_0339_0001_0001_cli_offline_commands.md) | CLI Offline Commands | P1 | G4 | Medium | 0338 |
| [0340](../implplan/SPRINT_0340_0001_0001_scanner_offline_config.md) | Scanner Offline Config | P2 | G5 | Medium | 0338 |
| [0341](../implplan/SPRINT_0341_0001_0001_observability_audit.md) | Observability & Audit | P1-P2 | G11-G14 | Medium | 0338 |
| [0342](../implplan/SPRINT_0342_0001_0001_evidence_reconciliation.md) | Evidence Reconciliation | P3 | G10 | High | 0338, 0340 |
### Dependency Graph
```
┌─────────────────────────────────────────────┐
│ │
│ Sprint 0338: AirGap Importer Core (P0) │
│ - Monotonicity enforcement (G6) │
│ - Quarantine handling (G7) │
│ │
└──────────────────┬──────────────────────────┘
┌─────────────────────┼─────────────────────┐
│ │ │
▼ ▼ ▼
┌────────────────┐ ┌────────────────┐ ┌────────────────┐
│ Sprint 0339 │ │ Sprint 0340 │ │ Sprint 0341 │
│ CLI Commands │ │ Scanner Config │ │ Observability │
│ (P1) │ │ (P2) │ │ (P1-P2) │
│ - G4 │ │ - G5 │ │ - G11-G14 │
└────────────────┘ └───────┬────────┘ └────────────────┘
┌────────────────┐
│ Sprint 0342 │
│ Evidence Recon │
│ (P3) │
│ - G10 │
└────────────────┘
```
---
## Gap-to-Sprint Mapping
### P0 - Critical (Must Implement First)
| Gap ID | Description | Sprint | Rationale |
|--------|-------------|--------|-----------|
| **G6** | Monotonicity enforcement | 0338 | Rollback prevention is security-critical; prevents replay attacks |
| **G7** | Quarantine directory handling | 0338 | Essential for forensic analysis of failed imports |
### P1 - High Priority
| Gap ID | Description | Sprint | Rationale |
|--------|-------------|--------|-----------|
| **G4** | CLI `offline` command group | 0339 | Primary operator interface; competitive parity |
| **G11** | Prometheus metrics | 0341 | Operational visibility in air-gap environments |
| **G13** | Error reason codes | 0341 | Automation and troubleshooting |
### P2 - Important
| Gap ID | Description | Sprint | Rationale |
|--------|-------------|--------|-----------|
| **G5** | Scanner offline config surface | 0340 | Enterprise trust anchor management |
| **G12** | Structured logging fields | 0341 | Log aggregation and correlation |
| **G14** | Audit schema enhancement | 0341 | Compliance and chain-of-custody |
### P3 - Lower Priority
| Gap ID | Description | Sprint | Rationale |
|--------|-------------|--------|-----------|
| **G10** | Evidence reconciliation algorithm | 0342 | Complex but valuable; VEX-first decisioning |
### Deferred (Not Implementing)
| Gap ID | Description | Rationale |
|--------|-------------|-----------|
| **G9** | YAML verification policy schema | Over-engineering; existing JSON/code config sufficient |
---
## Technical Architecture
### New Components
```
src/AirGap/
├── StellaOps.AirGap.Importer/
│ ├── Versioning/
│ │ ├── BundleVersion.cs # Sprint 0338
│ │ ├── IVersionMonotonicityChecker.cs # Sprint 0338
│ │ └── IBundleVersionStore.cs # Sprint 0338
│ ├── Quarantine/
│ │ ├── IQuarantineService.cs # Sprint 0338
│ │ ├── FileSystemQuarantineService.cs # Sprint 0338
│ │ └── QuarantineOptions.cs # Sprint 0338
│ ├── Telemetry/
│ │ ├── OfflineKitMetrics.cs # Sprint 0341
│ │ ├── OfflineKitLogFields.cs # Sprint 0341
│ │ └── OfflineKitLogScopes.cs # Sprint 0341
│ ├── Reconciliation/
│ │ ├── ArtifactIndex.cs # Sprint 0342
│ │ ├── EvidenceCollector.cs # Sprint 0342
│ │ ├── DocumentNormalizer.cs # Sprint 0342
│ │ ├── PrecedenceLattice.cs # Sprint 0342
│ │ └── EvidenceGraphEmitter.cs # Sprint 0342
src/Scanner/
├── __Libraries/StellaOps.Scanner.Core/
│ ├── Configuration/
│ │ ├── OfflineKitOptions.cs # Sprint 0340
│ │ ├── TrustAnchorConfig.cs # Sprint 0340
│ │ └── OfflineKitOptionsValidator.cs # Sprint 0340
│ └── TrustAnchors/
│ ├── PurlPatternMatcher.cs # Sprint 0340
│ ├── ITrustAnchorRegistry.cs # Sprint 0340
│ └── TrustAnchorRegistry.cs # Sprint 0340
src/Cli/
├── StellaOps.Cli/
│ ├── Commands/
│ ├── Offline/
│ │ ├── OfflineCommandGroup.cs # Sprint 0339
│ │ ├── OfflineImportHandler.cs # Sprint 0339
│ │ ├── OfflineStatusHandler.cs # Sprint 0339
│ │ └── OfflineExitCodes.cs # Sprint 0339
│ └── Verify/
│ └── VerifyOfflineHandler.cs # Sprint 0339
│ └── Output/
│ └── OfflineKitReasonCodes.cs # Sprint 0341
src/Authority/
├── __Libraries/StellaOps.Authority.Storage.Postgres/
│ └── Migrations/
│ └── 004_offline_kit_audit.sql # Sprint 0341
```
### Database Changes
| Table | Schema | Sprint | Purpose |
|-------|--------|--------|---------|
| `airgap.bundle_versions` | New | 0338 | Track active bundle versions per tenant/type |
| `airgap.bundle_version_history` | New | 0338 | Version history for audit trail |
| `authority.offline_kit_audit` | New | 0341 | Enhanced audit with Rekor/DSSE fields |
### Configuration Changes
| Section | Sprint | Fields |
|---------|--------|--------|
| `AirGap:Quarantine` | 0338 | `QuarantineRoot`, `RetentionPeriod`, `MaxQuarantineSizeBytes` |
| `Scanner:OfflineKit` | 0340 | `RequireDsse`, `RekorOfflineMode`, `TrustAnchors[]` |
### CLI Commands
| Command | Sprint | Description |
|---------|--------|-------------|
| `stellaops offline import` | 0339 | Import offline kit with verification |
| `stellaops offline status` | 0339 | Display current kit status |
| `stellaops verify offline` | 0339 | Offline evidence verification |
### Metrics
| Metric | Type | Sprint | Labels |
|--------|------|--------|--------|
| `offlinekit_import_total` | Counter | 0341 | `status`, `tenant_id` |
| `offlinekit_attestation_verify_latency_seconds` | Histogram | 0341 | `attestation_type`, `success` |
| `attestor_rekor_success_total` | Counter | 0341 | `mode` |
| `attestor_rekor_retry_total` | Counter | 0341 | `reason` |
| `rekor_inclusion_latency` | Histogram | 0341 | `success` |
---
## Implementation Sequence
### Phase 1: Foundation (Sprint 0338)
**Duration:** 1 sprint
**Focus:** Security-critical infrastructure
1. Implement `BundleVersion` model with semver parsing
2. Create `IVersionMonotonicityChecker` and Postgres store
3. Integrate monotonicity check into `ImportValidator`
4. Implement `--force-activate` with audit trail
5. Create `IQuarantineService` and file-system implementation
6. Integrate quarantine into all import failure paths
7. Write comprehensive tests
**Exit Criteria:**
- [ ] Rollback attacks are prevented
- [ ] Failed bundles are preserved for investigation
- [ ] Force activation requires justification
### Phase 2: Operator Experience (Sprints 0339, 0341)
**Duration:** 1-2 sprints (can parallelize)
**Focus:** CLI and observability
**Sprint 0339 (CLI):**
1. Create `offline` command group
2. Implement `offline import` with all flags
3. Implement `offline status` with output formats
4. Implement `verify offline` with policy loading
5. Add exit code standardization
6. Write CLI integration tests
**Sprint 0341 (Observability):**
1. Add Prometheus metrics infrastructure
2. Implement offline kit metrics
3. Standardize structured logging fields
4. Complete error reason codes
5. Create audit schema migration
6. Implement audit repository and emitter
7. Create Grafana dashboard
> Blockers: Prometheus `/metrics` endpoint hosting and audit emitter call-sites await an owning Offline Kit import/activation flow (`POST /api/offline-kit/import`).
**Exit Criteria:**
- [ ] Operators can import/verify kits via CLI
- [ ] Metrics are visible in Prometheus/Grafana
- [ ] All operations are auditable
### Phase 3: Configuration (Sprint 0340)
**Duration:** 1 sprint
**Focus:** Trust anchor management
1. Create `OfflineKitOptions` configuration class
2. Implement PURL pattern matcher
3. Create `TrustAnchorRegistry` with precedence resolution
4. Add options validation
5. Integrate trust anchors with DSSE verification
6. Update Helm chart values
7. Write configuration tests
**Exit Criteria:**
- [ ] Trust anchors configurable per ecosystem
- [ ] DSSE verification uses configured anchors
- [ ] Invalid configuration fails startup
### Phase 4: Advanced Features (Sprint 0342)
**Duration:** 1-2 sprints
**Focus:** Evidence reconciliation
1. Design artifact indexing
2. Implement evidence collection
3. Create document normalization
4. Implement VEX precedence lattice
5. Create evidence graph emitter
6. Integrate with CLI `verify offline`
7. Write golden-file determinism tests
**Exit Criteria:**
- [ ] Evidence reconciliation is deterministic
- [ ] VEX conflicts resolved by precedence
- [ ] Graph output is signed and verifiable
---
## Testing Strategy
### Unit Tests
- All new classes have corresponding test classes
- Mock dependencies for isolation
- Property-based tests for lattice operations
### Integration Tests
- Testcontainers for PostgreSQL
- Full import → verification → audit flow
- CLI command execution tests
### Determinism Tests
- Golden-file tests for evidence reconciliation
- Cross-platform validation (Windows, Linux, macOS)
- Reproducibility across runs
### Security Tests
- Monotonicity bypass attempts
- Signature verification edge cases
- Trust anchor configuration validation
---
## Documentation Updates
| Document | Sprint | Updates |
|----------|--------|---------|
| `docs/airgap/importer-scaffold.md` | 0338 | Add monotonicity, quarantine sections |
| `docs/airgap/runbooks/quarantine-investigation.md` | 0338 | New runbook |
| `docs/modules/cli/commands/offline.md` | 0339 | New command reference |
| `docs/modules/cli/guides/airgap.md` | 0339 | Update with CLI examples |
| `docs/modules/scanner/configuration.md` | 0340 | Add offline kit config section |
| `docs/airgap/observability.md` | 0341 | Metrics and logging reference |
| `docs/airgap/evidence-reconciliation.md` | 0342 | Algorithm documentation |
---
## Risk Register
| Risk | Impact | Mitigation |
|------|--------|------------|
| Monotonicity breaks existing workflows | High | Provide `--force-activate` escape hatch |
| Quarantine disk exhaustion | Medium | Implement quota and TTL cleanup |
| Trust anchor config complexity | Medium | Provide sensible defaults, validate at startup |
| Evidence reconciliation performance | Medium | Streaming processing, caching |
| Cross-platform determinism failures | High | CI matrix, golden-file tests |
---
## Success Metrics
| Metric | Target | Sprint |
|--------|--------|--------|
| Rollback attack prevention | 100% | 0338 |
| Failed bundle quarantine rate | 100% | 0338 |
| CLI command adoption | 50% operators | 0339 |
| Metric collection uptime | 99.9% | 0341 |
| Audit completeness | 100% events | 0341 |
| Reconciliation determinism | 100% | 0342 |
---
## References
- [14-Dec-2025 Offline and Air-Gap Technical Reference](../product-advisories/14-Dec-2025%20-%20Offline%20and%20Air-Gap%20Technical%20Reference.md)
- [Air-Gap Mode Playbook](./airgap-mode.md)
- [Offline Kit Documentation](../24_OFFLINE_KIT.md)
- [Importer Scaffold](./importer-scaffold.md)

6
docs/airgap/bundle-repositories.md
View File

@@ -2,7 +2,7 @@
## Scope ## Scope
- Deterministic storage for offline bundle metadata with tenant isolation (RLS) and stable ordering. - Deterministic storage for offline bundle metadata with tenant isolation (RLS) and stable ordering.
- Ready for Mongo-backed implementation while providing in-memory deterministic reference behavior. - Ready for PostgreSQL-backed implementation while providing in-memory deterministic reference behavior.
## Schema (logical) ## Schema (logical)
- `bundle_catalog`: - `bundle_catalog`:
@@ -25,13 +25,13 @@
- Models: `BundleCatalogEntry`, `BundleItem`. - Models: `BundleCatalogEntry`, `BundleItem`.
- Tests cover upsert overwrite semantics, tenant isolation, and deterministic ordering (`tests/AirGap/StellaOps.AirGap.Importer.Tests/InMemoryBundleRepositoriesTests.cs`). - Tests cover upsert overwrite semantics, tenant isolation, and deterministic ordering (`tests/AirGap/StellaOps.AirGap.Importer.Tests/InMemoryBundleRepositoriesTests.cs`).
## Migration notes (for Mongo/SQL backends) ## Migration notes (for PostgreSQL backends)
- Create compound unique indexes on (`tenant_id`, `bundle_id`) for catalog; (`tenant_id`, `bundle_id`, `path`) for items. - Create compound unique indexes on (`tenant_id`, `bundle_id`) for catalog; (`tenant_id`, `bundle_id`, `path`) for items.
- Enforce RLS by always scoping queries to `tenant_id` and validating it at repository boundary (as done in in-memory reference impl). - Enforce RLS by always scoping queries to `tenant_id` and validating it at repository boundary (as done in in-memory reference impl).
- Keep paths lowercased or use ordinal comparisons to avoid locale drift; sort before persistence to preserve determinism. - Keep paths lowercased or use ordinal comparisons to avoid locale drift; sort before persistence to preserve determinism.
## Next steps ## Next steps
- Implement Mongo-backed repositories mirroring the deterministic behavior and indexes above. - Implement PostgreSQL-backed repositories mirroring the deterministic behavior and indexes above.
- Wire repositories into importer service/CLI once storage provider is selected. - Wire repositories into importer service/CLI once storage provider is selected.
## Owners ## Owners

732
docs/airgap/epss-bundles.md Normal file
View File

@@ -0,0 +1,732 @@
# EPSS Air-Gapped Bundles Guide
## Overview
This guide describes how to create, distribute, and import EPSS (Exploit Prediction Scoring System) data bundles for air-gapped StellaOps deployments. EPSS bundles enable offline vulnerability risk scoring with the same probabilistic threat intelligence available to online deployments.
**Key Concepts**:
- **Risk Bundle**: Aggregated security data (EPSS + KEV + advisories) for offline import
- **EPSS Snapshot**: Single-day EPSS scores for all CVEs (~300k rows)
- **Staleness Threshold**: How old EPSS data can be before fallback to CVSS-only
- **Deterministic Import**: Same bundle imported twice yields identical database state
---
## Bundle Structure
### Standard Risk Bundle Layout
```
risk-bundle-2025-12-17/
├── manifest.json # Bundle metadata and checksums
├── epss/
│ ├── epss_scores-2025-12-17.csv.zst # EPSS data (ZSTD compressed)
│ └── epss_metadata.json # EPSS provenance
├── kev/
│ └── kev-catalog.json # CISA KEV catalog
├── advisories/
│ ├── nvd-updates.ndjson.zst
│ └── ghsa-updates.ndjson.zst
└── signatures/
├── bundle.dsse.json # DSSE signature (optional)
└── bundle.sha256sums # File integrity checksums
```
### manifest.json
```json
{
"bundle_id": "risk-bundle-2025-12-17",
"created_at": "2025-12-17T00:00:00Z",
"created_by": "stellaops-bundler-v1.2.3",
"bundle_type": "risk",
"schema_version": "v1",
"contents": {
"epss": {
"model_date": "2025-12-17",
"file": "epss/epss_scores-2025-12-17.csv.zst",
"sha256": "abc123...",
"size_bytes": 15728640,
"row_count": 231417
},
"kev": {
"catalog_version": "2025-12-17",
"file": "kev/kev-catalog.json",
"sha256": "def456...",
"known_exploited_count": 1247
},
"advisories": {
"nvd": {
"file": "advisories/nvd-updates.ndjson.zst",
"sha256": "ghi789...",
"record_count": 1523
},
"ghsa": {
"file": "advisories/ghsa-updates.ndjson.zst",
"sha256": "jkl012...",
"record_count": 8734
}
}
},
"signature": {
"type": "dsse",
"file": "signatures/bundle.dsse.json",
"key_id": "stellaops-bundler-2025",
"algorithm": "ed25519"
}
}
```
### epss/epss_metadata.json
```json
{
"model_date": "2025-12-17",
"model_version": "v2025.12.17",
"published_date": "2025-12-17",
"row_count": 231417,
"source_uri": "https://epss.empiricalsecurity.com/epss_scores-2025-12-17.csv.gz",
"retrieved_at": "2025-12-17T00:05:32Z",
"file_sha256": "abc123...",
"decompressed_sha256": "xyz789...",
"compression": "zstd",
"compression_level": 19
}
```
---
## Creating EPSS Bundles
### Prerequisites
**Build System Requirements**:
- Internet access (for fetching FIRST.org data)
- StellaOps Bundler CLI: `stellaops-bundler`
- ZSTD compression: `zstd` (v1.5+)
- Python 3.10+ (for verification scripts)
**Permissions**:
- Read access to FIRST.org EPSS API/CSV endpoints
- Write access to bundle staging directory
- (Optional) Signing key for DSSE signatures
### Daily Bundle Creation (Automated)
**Recommended Schedule**: Daily at 01:00 UTC (after FIRST publishes at ~00:00 UTC)
**Script**: `scripts/create-risk-bundle.sh`
```bash
#!/bin/bash
set -euo pipefail
BUNDLE_DATE=$(date -u +%Y-%m-%d)
BUNDLE_DIR="risk-bundle-${BUNDLE_DATE}"
STAGING_DIR="/tmp/stellaops-bundles/${BUNDLE_DIR}"
echo "Creating risk bundle for ${BUNDLE_DATE}..."
# 1. Create staging directory
mkdir -p "${STAGING_DIR}"/{epss,kev,advisories,signatures}
# 2. Fetch EPSS data from FIRST.org
echo "Fetching EPSS data..."
curl -sL "https://epss.empiricalsecurity.com/epss_scores-${BUNDLE_DATE}.csv.gz" \
-o "${STAGING_DIR}/epss/epss_scores-${BUNDLE_DATE}.csv.gz"
# 3. Decompress and re-compress with ZSTD (better compression for offline)
gunzip "${STAGING_DIR}/epss/epss_scores-${BUNDLE_DATE}.csv.gz"
zstd -19 -q "${STAGING_DIR}/epss/epss_scores-${BUNDLE_DATE}.csv" \
-o "${STAGING_DIR}/epss/epss_scores-${BUNDLE_DATE}.csv.zst"
rm "${STAGING_DIR}/epss/epss_scores-${BUNDLE_DATE}.csv"
# 4. Generate EPSS metadata
stellaops-bundler epss metadata \
--file "${STAGING_DIR}/epss/epss_scores-${BUNDLE_DATE}.csv.zst" \
--model-date "${BUNDLE_DATE}" \
--output "${STAGING_DIR}/epss/epss_metadata.json"
# 5. Fetch KEV catalog
echo "Fetching KEV catalog..."
curl -sL "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" \
-o "${STAGING_DIR}/kev/kev-catalog.json"
# 6. Fetch advisory updates (optional, for comprehensive bundles)
# stellaops-bundler advisories fetch ...
# 7. Generate checksums
echo "Generating checksums..."
(cd "${STAGING_DIR}" && find . -type f ! -name "*.sha256sums" -exec sha256sum {} \;) \
> "${STAGING_DIR}/signatures/bundle.sha256sums"
# 8. Generate manifest
stellaops-bundler manifest create \
--bundle-dir "${STAGING_DIR}" \
--bundle-id "${BUNDLE_DIR}" \
--output "${STAGING_DIR}/manifest.json"
# 9. Sign bundle (if signing key available)
if [ -n "${SIGNING_KEY:-}" ]; then
echo "Signing bundle..."
stellaops-bundler sign \
--manifest "${STAGING_DIR}/manifest.json" \
--key "${SIGNING_KEY}" \
--output "${STAGING_DIR}/signatures/bundle.dsse.json"
fi
# 10. Create tarball
echo "Creating tarball..."
tar -C "$(dirname "${STAGING_DIR}")" -czf "/var/stellaops/bundles/${BUNDLE_DIR}.tar.gz" \
"$(basename "${STAGING_DIR}")"
echo "Bundle created: /var/stellaops/bundles/${BUNDLE_DIR}.tar.gz"
echo "Size: $(du -h /var/stellaops/bundles/${BUNDLE_DIR}.tar.gz | cut -f1)"
# 11. Verify bundle
stellaops-bundler verify "/var/stellaops/bundles/${BUNDLE_DIR}.tar.gz"
```
**Cron Schedule**:
```cron
# Daily at 01:00 UTC (after FIRST publishes EPSS at ~00:00 UTC)
0 1 * * * /opt/stellaops/scripts/create-risk-bundle.sh >> /var/log/stellaops/bundler.log 2>&1
```
---
## Distributing Bundles
### Transfer Methods
#### 1. Physical Media (Highest Security)
```bash
# Copy to USB drive
cp /var/stellaops/bundles/risk-bundle-2025-12-17.tar.gz /media/usb/stellaops/
# Verify checksum
sha256sum /media/usb/stellaops/risk-bundle-2025-12-17.tar.gz
```
#### 2. Secure File Transfer (Network Isolation)
```bash
# SCP over dedicated management network
scp /var/stellaops/bundles/risk-bundle-2025-12-17.tar.gz \
admin@airgap-gateway.internal:/incoming/
# Verify after transfer
ssh admin@airgap-gateway.internal \
"sha256sum /incoming/risk-bundle-2025-12-17.tar.gz"
```
#### 3. Offline Bundle Repository (CD/DVD)
```bash
# Burn to CD/DVD (for regulated industries)
growisofs -Z /dev/sr0 \
-R -J -joliet-long \
-V "StellaOps Risk Bundle 2025-12-17" \
/var/stellaops/bundles/risk-bundle-2025-12-17.tar.gz
# Verify disc
md5sum /dev/sr0 > risk-bundle-2025-12-17.md5
```
### Storage Recommendations
**Bundle Retention**:
- **Online bundler**: Keep last 90 days (rolling cleanup)
- **Air-gapped system**: Keep last 30 days minimum (for rollback)
**Naming Convention**:
- Pattern: `risk-bundle-YYYY-MM-DD.tar.gz`
- Example: `risk-bundle-2025-12-17.tar.gz`
**Directory Structure** (air-gapped system):
```
/opt/stellaops/bundles/
├── incoming/ # Transfer staging area
├── verified/ # Verified, ready to import
├── imported/ # Successfully imported (archive)
└── failed/ # Failed verification/import (quarantine)
```
---
## Importing Bundles (Air-Gapped System)
### Pre-Import Verification
**Step 1: Transfer to Verified Directory**
```bash
# Transfer from incoming to verified (manual approval gate)
sudo mv /opt/stellaops/bundles/incoming/risk-bundle-2025-12-17.tar.gz \
/opt/stellaops/bundles/verified/
```
**Step 2: Verify Bundle Integrity**
```bash
# Extract bundle
cd /opt/stellaops/bundles/verified
tar -xzf risk-bundle-2025-12-17.tar.gz
# Verify checksums
cd risk-bundle-2025-12-17
sha256sum -c signatures/bundle.sha256sums
# Expected output:
# epss/epss_scores-2025-12-17.csv.zst: OK
# epss/epss_metadata.json: OK
# kev/kev-catalog.json: OK
# manifest.json: OK
```
**Step 3: Verify DSSE Signature (if signed)**
```bash
stellaops-bundler verify-signature \
--manifest manifest.json \
--signature signatures/bundle.dsse.json \
--trusted-keys /etc/stellaops/trusted-keys.json
# Expected output:
# ✓ Signature valid
# ✓ Key ID: stellaops-bundler-2025
# ✓ Signed at: 2025-12-17T01:05:00Z
```
### Import Procedure
**Step 4: Import Bundle**
```bash
# Import using stellaops CLI
stellaops offline import \
--bundle /opt/stellaops/bundles/verified/risk-bundle-2025-12-17.tar.gz \
--verify \
--dry-run
# Review dry-run output, then execute
stellaops offline import \
--bundle /opt/stellaops/bundles/verified/risk-bundle-2025-12-17.tar.gz \
--verify
```
**Import Output**:
```
Importing risk bundle: risk-bundle-2025-12-17
✓ Manifest validated
✓ Checksums verified
✓ Signature verified
Importing EPSS data...
Model Date: 2025-12-17
Row Count: 231,417
✓ epss_import_runs created (import_run_id: 550e8400-...)
✓ epss_scores inserted (231,417 rows, 23.4s)
✓ epss_changes computed (12,345 changes, 8.1s)
✓ epss_current upserted (231,417 rows, 5.2s)
✓ Event emitted: epss.updated
Importing KEV catalog...
Known Exploited Count: 1,247
✓ kev_catalog updated
Import completed successfully in 41.2s
```
**Step 5: Verify Import**
```bash
# Check EPSS status
stellaops epss status
# Expected output:
# EPSS Status:
# Latest Model Date: 2025-12-17
# Source: bundle://risk-bundle-2025-12-17
# CVE Count: 231,417
# Staleness: FRESH (0 days)
# Import Time: 2025-12-17T10:30:00Z
# Query specific CVE to verify
stellaops epss get CVE-2024-12345
# Expected output:
# CVE-2024-12345
# Score: 0.42357
# Percentile: 88.2th
# Model Date: 2025-12-17
# Source: bundle://risk-bundle-2025-12-17
```
**Step 6: Archive Imported Bundle**
```bash
# Move to imported archive
sudo mv /opt/stellaops/bundles/verified/risk-bundle-2025-12-17.tar.gz \
/opt/stellaops/bundles/imported/
```
---
## Automation (Air-Gapped System)
### Automated Import on Arrival
**Script**: `/opt/stellaops/scripts/auto-import-bundle.sh`
```bash
#!/bin/bash
set -euo pipefail
INCOMING_DIR="/opt/stellaops/bundles/incoming"
VERIFIED_DIR="/opt/stellaops/bundles/verified"
IMPORTED_DIR="/opt/stellaops/bundles/imported"
FAILED_DIR="/opt/stellaops/bundles/failed"
LOG_FILE="/var/log/stellaops/auto-import.log"
log() {
echo "[$(date -Iseconds)] $*" | tee -a "${LOG_FILE}"
}
# Watch for new bundles in incoming/
for bundle in "${INCOMING_DIR}"/risk-bundle-*.tar.gz; do
[ -f "${bundle}" ] || continue
BUNDLE_NAME=$(basename "${bundle}")
log "Detected new bundle: ${BUNDLE_NAME}"
# Extract
EXTRACT_DIR="${VERIFIED_DIR}/${BUNDLE_NAME%.tar.gz}"
mkdir -p "${EXTRACT_DIR}"
tar -xzf "${bundle}" -C "${VERIFIED_DIR}"
# Verify checksums
if ! (cd "${EXTRACT_DIR}" && sha256sum -c signatures/bundle.sha256sums > /dev/null 2>&1); then
log "ERROR: Checksum verification failed for ${BUNDLE_NAME}"
mv "${bundle}" "${FAILED_DIR}/"
rm -rf "${EXTRACT_DIR}"
continue
fi
log "Checksum verification passed"
# Verify signature (if present)
if [ -f "${EXTRACT_DIR}/signatures/bundle.dsse.json" ]; then
if ! stellaops-bundler verify-signature \
--manifest "${EXTRACT_DIR}/manifest.json" \
--signature "${EXTRACT_DIR}/signatures/bundle.dsse.json" \
--trusted-keys /etc/stellaops/trusted-keys.json > /dev/null 2>&1; then
log "ERROR: Signature verification failed for ${BUNDLE_NAME}"
mv "${bundle}" "${FAILED_DIR}/"
rm -rf "${EXTRACT_DIR}"
continue
fi
log "Signature verification passed"
fi
# Import
if stellaops offline import --bundle "${bundle}" --verify >> "${LOG_FILE}" 2>&1; then
log "Import successful for ${BUNDLE_NAME}"
mv "${bundle}" "${IMPORTED_DIR}/"
rm -rf "${EXTRACT_DIR}"
else
log "ERROR: Import failed for ${BUNDLE_NAME}"
mv "${bundle}" "${FAILED_DIR}/"
fi
done
```
**Systemd Service**: `/etc/systemd/system/stellaops-bundle-watcher.service`
```ini
[Unit]
Description=StellaOps Bundle Auto-Import Watcher
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/inotifywait -m -e close_write --format '%w%f' /opt/stellaops/bundles/incoming | \
while read file; do /opt/stellaops/scripts/auto-import-bundle.sh; done
Restart=always
RestartSec=10
User=stellaops
Group=stellaops
[Install]
WantedBy=multi-user.target
```
**Enable Service**:
```bash
sudo systemctl enable stellaops-bundle-watcher
sudo systemctl start stellaops-bundle-watcher
```
---
## Staleness Handling
### Staleness Thresholds
| Days Since Model Date | Status | Action |
|-----------------------|--------|--------|
| 0-1 | FRESH | Normal operation |
| 2-7 | ACCEPTABLE | Continue, low-priority alert |
| 8-14 | STALE | Alert, plan bundle import |
| 15+ | VERY_STALE | Fallback to CVSS-only, urgent alert |
### Monitoring Staleness
**SQL Query**:
```sql
SELECT * FROM concelier.epss_model_staleness;
-- Output:
-- latest_model_date | latest_import_at | days_stale | staleness_status
-- 2025-12-10 | 2025-12-10 10:30:00+00 | 7 | ACCEPTABLE
```
**Prometheus Metric**:
```promql
epss_model_staleness_days{instance="airgap-prod"}
# Alert rule:
- alert: EpssDataStale
expr: epss_model_staleness_days > 7
for: 1h
labels:
severity: warning
annotations:
summary: "EPSS data is stale ({{ $value }} days old)"
```
### Fallback Behavior
When EPSS data is VERY_STALE (>14 days):
**Automatic Fallback**:
- Scanner: Skip EPSS evidence, log warning
- Policy: Use CVSS-only scoring (no EPSS bonus)
- Notifications: Disabled EPSS-based alerts
- UI: Show staleness banner, disable EPSS filters
**Manual Override** (force continue using stale data):
```yaml
# etc/scanner.yaml
scanner:
epss:
staleness_policy: continue # Options: fallback, continue, error
max_staleness_days: 30 # Override 14-day default
```
---
## Troubleshooting
### Bundle Import Failed: Checksum Mismatch
**Symptom**:
```
ERROR: Checksum verification failed
epss/epss_scores-2025-12-17.csv.zst: FAILED
```
**Diagnosis**:
1. Verify bundle was not corrupted during transfer:
```bash
# Compare with original
sha256sum risk-bundle-2025-12-17.tar.gz
```
2. Re-transfer bundle from source
**Resolution**:
- Delete corrupted bundle: `rm risk-bundle-2025-12-17.tar.gz`
- Re-download/re-transfer from bundler system
### Bundle Import Failed: Signature Invalid
**Symptom**:
```
ERROR: Signature verification failed
Invalid signature or untrusted key
```
**Diagnosis**:
1. Check trusted keys configured:
```bash
cat /etc/stellaops/trusted-keys.json
```
2. Verify key ID in bundle signature matches:
```bash
jq '.signature.key_id' manifest.json
```
**Resolution**:
- Update trusted keys file with current bundler public key
- Or: Skip signature verification (if signatures optional):
```bash
stellaops offline import --bundle risk-bundle-2025-12-17.tar.gz --skip-signature-verify
```
### No EPSS Data After Import
**Symptom**:
- Import succeeded, but `stellaops epss status` shows "No EPSS data"
**Diagnosis**:
```sql
-- Check import runs
SELECT * FROM concelier.epss_import_runs ORDER BY created_at DESC LIMIT 1;
-- Check epss_current count
SELECT COUNT(*) FROM concelier.epss_current;
```
**Resolution**:
1. If import_runs shows FAILED status:
- Check error column: `SELECT error FROM concelier.epss_import_runs WHERE status = 'FAILED'`
- Re-run import with verbose logging
2. If epss_current is empty:
- Manually trigger upsert:
```sql
-- Re-run upsert for latest model_date
-- (This SQL is safe to re-run)
INSERT INTO concelier.epss_current (cve_id, epss_score, percentile, model_date, import_run_id, updated_at)
SELECT s.cve_id, s.epss_score, s.percentile, s.model_date, s.import_run_id, NOW()
FROM concelier.epss_scores s
WHERE s.model_date = (SELECT MAX(model_date) FROM concelier.epss_import_runs WHERE status = 'SUCCEEDED')
ON CONFLICT (cve_id) DO UPDATE SET
epss_score = EXCLUDED.epss_score,
percentile = EXCLUDED.percentile,
model_date = EXCLUDED.model_date,
import_run_id = EXCLUDED.import_run_id,
updated_at = NOW();
```
---
## Best Practices
### 1. Weekly Bundle Import Cadence
**Recommended Schedule**:
- **Minimum**: Weekly (every Monday)
- **Preferred**: Bi-weekly (Monday & Thursday)
- **Ideal**: Daily (if transfer logistics allow)
### 2. Bundle Verification Checklist
Before importing:
- [ ] Checksum verification passed
- [ ] Signature verification passed (if signed)
- [ ] Model date within acceptable staleness window
- [ ] Disk space available (estimate: 500MB per bundle)
- [ ] Backup current EPSS data (for rollback)
### 3. Rollback Plan
If new bundle causes issues:
```bash
# 1. Identify problematic import_run_id
SELECT import_run_id, model_date, status
FROM concelier.epss_import_runs
ORDER BY created_at DESC LIMIT 5;
# 2. Delete problematic import (cascades to epss_scores, epss_changes)
DELETE FROM concelier.epss_import_runs
WHERE import_run_id = '550e8400-...';
# 3. Restore epss_current from previous day
-- (Upsert from previous model_date as shown in troubleshooting)
# 4. Verify rollback
stellaops epss status
```
### 4. Audit Trail
Log all bundle imports for compliance:
**Audit Log Format** (`/var/log/stellaops/bundle-audit.log`):
```json
{
"timestamp": "2025-12-17T10:30:00Z",
"action": "import",
"bundle_id": "risk-bundle-2025-12-17",
"bundle_sha256": "abc123...",
"imported_by": "admin@example.com",
"import_run_id": "550e8400-e29b-41d4-a716-446655440000",
"result": "SUCCESS",
"row_count": 231417,
"duration_seconds": 41.2
}
```
---
## Appendix: Bundle Creation Tools
### stellaops-bundler CLI Reference
```bash
# Create EPSS metadata
stellaops-bundler epss metadata \
--file epss_scores-2025-12-17.csv.zst \
--model-date 2025-12-17 \
--output epss_metadata.json
# Create manifest
stellaops-bundler manifest create \
--bundle-dir risk-bundle-2025-12-17 \
--bundle-id risk-bundle-2025-12-17 \
--output manifest.json
# Sign bundle
stellaops-bundler sign \
--manifest manifest.json \
--key /path/to/signing-key.pem \
--output bundle.dsse.json
# Verify bundle
stellaops-bundler verify risk-bundle-2025-12-17.tar.gz
```
### Custom Bundle Scripts
Example for creating weekly bundles (7-day snapshots):
```bash
#!/bin/bash
# create-weekly-bundle.sh
WEEK_START=$(date -u -d "last monday" +%Y-%m-%d)
WEEK_END=$(date -u +%Y-%m-%d)
BUNDLE_ID="risk-bundle-weekly-${WEEK_START}"
echo "Creating weekly bundle: ${BUNDLE_ID}"
for day in $(seq 0 6); do
CURRENT_DATE=$(date -u -d "${WEEK_START} + ${day} days" +%Y-%m-%d)
# Fetch EPSS for each day...
curl -sL "https://epss.empiricalsecurity.com/epss_scores-${CURRENT_DATE}.csv.gz" \
-o "epss/epss_scores-${CURRENT_DATE}.csv.gz"
done
# Compress and bundle...
tar -czf "${BUNDLE_ID}.tar.gz" epss/ kev/ manifest.json
```
---
**Last Updated**: 2025-12-17
**Version**: 1.0
**Maintainer**: StellaOps Operations Team

9
docs/airgap/importer-scaffold.md
View File

@@ -18,13 +18,20 @@
- Expanded tests for DSSE, TUF, Merkle helpers. - Expanded tests for DSSE, TUF, Merkle helpers.
- Added trust store + root rotation policy (dual approval) and import validator that coordinates DSSE/TUF/Merkle/rotation checks. - Added trust store + root rotation policy (dual approval) and import validator that coordinates DSSE/TUF/Merkle/rotation checks.
## Updates (2025-12-15)
- Added monotonicity enforcement primitives under `src/AirGap/StellaOps.AirGap.Importer/Versioning/` (`BundleVersion`, `IVersionMonotonicityChecker`, `IBundleVersionStore`).
- Added file-based quarantine service under `src/AirGap/StellaOps.AirGap.Importer/Quarantine/` (`IQuarantineService`, `FileSystemQuarantineService`, `QuarantineOptions`).
- Updated `ImportValidator` to include monotonicity checks, force-activate support (requires reason), and quarantine on validation failures.
- Added Postgres-backed bundle version tracking in `src/AirGap/StellaOps.AirGap.Storage.Postgres/Repositories/PostgresBundleVersionStore.cs` and registration via `src/AirGap/StellaOps.AirGap.Storage.Postgres/ServiceCollectionExtensions.cs`.
- Updated tests in `tests/AirGap/StellaOps.AirGap.Importer.Tests` to cover versioning/quarantine and the new import validator behavior.
## Next implementation hooks ## Next implementation hooks
- Replace placeholder plan with actual DSSE + TUF verifiers; keep step ordering stable. - Replace placeholder plan with actual DSSE + TUF verifiers; keep step ordering stable.
- Feed trust roots from sealed-mode config and Evidence Locker bundles (once available) before allowing imports. - Feed trust roots from sealed-mode config and Evidence Locker bundles (once available) before allowing imports.
- Record audit trail for each plan step (success/failure) and a Merkle root of staged content. - Record audit trail for each plan step (success/failure) and a Merkle root of staged content.
## Determinism/air-gap posture ## Determinism/air-gap posture
- No network dependencies; only BCL used. - No network dependencies; BCL + `Microsoft.Extensions.*` only.
- Tests use cached local NuGet feed (`local-nugets/`). - Tests use cached local NuGet feed (`local-nugets/`).
- Plan steps are ordered list; do not reorder without bumping downstream replay expectations. - Plan steps are ordered list; do not reorder without bumping downstream replay expectations.

213
docs/airgap/offline-bundle-format.md Normal file
View File

@@ -0,0 +1,213 @@
# Offline Bundle Format (.stella.bundle.tgz)
> Sprint: SPRINT_3603_0001_0001
> Module: ExportCenter
This document describes the `.stella.bundle.tgz` format for portable, signed, verifiable evidence packages.
## Overview
The offline bundle is a self-contained archive containing all evidence and artifacts needed for offline triage of security findings. Bundles are:
- **Portable**: Single file that can be transferred to air-gapped environments
- **Signed**: DSSE-signed manifest for authenticity verification
- **Verifiable**: Content-addressable with SHA-256 hashes for integrity
- **Complete**: Contains all data needed for offline decision-making
## File Format
```
{alert-id}.stella.bundle.tgz
├── manifest.json # Bundle manifest (DSSE-signed)
├── metadata/
│ ├── alert.json # Alert metadata snapshot
│ └── generation-info.json # Bundle generation metadata
├── evidence/
│ ├── reachability-proof.json # Call-graph reachability evidence
│ ├── callstack.json # Exploitability call stacks
│ └── provenance.json # Build provenance attestations
├── vex/
│ ├── decisions.ndjson # VEX decision history (NDJSON)
│ └── current-status.json # Current VEX status
├── sbom/
│ ├── current.cdx.json # Current SBOM slice (CycloneDX)
│ └── baseline.cdx.json # Baseline SBOM for diff
├── diff/
│ └── sbom-delta.json # SBOM delta changes
└── attestations/
├── bundle.dsse.json # DSSE envelope for bundle
└── evidence.dsse.json # Evidence attestation chain
```
## Manifest Schema
The `manifest.json` file follows this schema:
```json
{
"bundle_format_version": "1.0.0",
"bundle_id": "abc123def456...",
"alert_id": "alert-789",
"created_at": "2024-12-15T10:00:00Z",
"created_by": "user@example.com",
"stellaops_version": "1.5.0",
"entries": [
{
"path": "metadata/alert.json",
"hash": "sha256:...",
"size": 1234,
"content_type": "application/json"
}
],
"root_hash": "sha256:...",
"signature": {
"algorithm": "ES256",
"key_id": "signing-key-001",
"value": "..."
}
}
```
### Manifest Fields
| Field | Type | Required | Description |
|-------|------|----------|-------------|
| `bundle_format_version` | string | Yes | Format version (semver) |
| `bundle_id` | string | Yes | Unique bundle identifier |
| `alert_id` | string | Yes | Source alert identifier |
| `created_at` | ISO 8601 | Yes | Bundle creation timestamp (UTC) |
| `created_by` | string | Yes | Actor who created the bundle |
| `stellaops_version` | string | Yes | StellaOps version that created bundle |
| `entries` | array | Yes | List of content entries with hashes |
| `root_hash` | string | Yes | Merkle root of all entry hashes |
| `signature` | object | No | DSSE signature (if signed) |
## Entry Schema
Each entry in the manifest:
```json
{
"path": "evidence/reachability-proof.json",
"hash": "sha256:abc123...",
"size": 2048,
"content_type": "application/json",
"compression": null
}
```
## DSSE Signing
Bundles support DSSE (Dead Simple Signing Envelope) signing:
```json
{
"payloadType": "application/vnd.stellaops.bundle.manifest+json",
"payload": "<base64-encoded manifest>",
"signatures": [
{
"keyid": "signing-key-001",
"sig": "<base64-encoded signature>"
}
]
}
```
## Creation
### API Endpoint
```http
GET /v1/alerts/{alertId}/bundle
Authorization: Bearer <token>
Response: application/gzip
Content-Disposition: attachment; filename="alert-123.stella.bundle.tgz"
```
### Programmatic
```csharp
var packager = services.GetRequiredService<IOfflineBundlePackager>();
var result = await packager.CreateBundleAsync(new BundleRequest
{
AlertId = "alert-123",
ActorId = "user@example.com",
IncludeVexHistory = true,
IncludeSbomSlice = true
});
// result.Content contains the tarball stream
// result.ManifestHash contains the verification hash
```
## Verification
### API Endpoint
```http
POST /v1/alerts/{alertId}/bundle/verify
Content-Type: application/json
{
"bundle_hash": "sha256:abc123...",
"signature": "<optional DSSE signature>"
}
Response:
{
"is_valid": true,
"hash_valid": true,
"chain_valid": true,
"signature_valid": true,
"verified_at": "2024-12-15T10:00:00Z"
}
```
### Programmatic
```csharp
var verification = await packager.VerifyBundleAsync(
bundlePath: "/path/to/bundle.stella.bundle.tgz",
expectedHash: "sha256:abc123...");
if (!verification.IsValid)
{
Console.WriteLine($"Verification failed: {string.Join(", ", verification.Errors)}");
}
```
## CLI Usage
```bash
# Export bundle
stellaops alert bundle export --alert-id alert-123 --output ./bundles/
# Verify bundle
stellaops alert bundle verify --file ./bundles/alert-123.stella.bundle.tgz
# Import bundle (air-gapped instance)
stellaops alert bundle import --file ./bundles/alert-123.stella.bundle.tgz
```
## Security Considerations
1. **Hash Verification**: Always verify bundle hash before processing
2. **Signature Validation**: Verify DSSE signature if present
3. **Content Validation**: Validate JSON schemas after extraction
4. **Size Limits**: Enforce maximum bundle size limits (default: 100MB)
5. **Path Traversal**: Tarball extraction must prevent path traversal attacks
## Versioning
| Format Version | Changes | Min StellaOps Version |
|----------------|---------|----------------------|
| 1.0.0 | Initial format | 1.0.0 |
## Related Documentation
- [Evidence Bundle Envelope](./evidence-bundle-envelope.md)
- [DSSE Signing Guide](./dsse-signing.md)
- [Offline Kit Guide](../10_OFFLINE_KIT.md)
- [API Reference](../api/evidence-decision-api.openapi.yaml)

518
docs/airgap/offline-parity-verification.md Normal file
View File

@@ -0,0 +1,518 @@
# Offline Parity Verification
**Last Updated:** 2025-12-14
**Next Review:** 2026-03-14
---
## Overview
This document defines the methodology for verifying that StellaOps scanner produces **identical results** in offline/air-gapped environments compared to connected deployments. Parity verification ensures that security decisions made in disconnected environments are equivalent to those made with full network access.
---
## 1. PARITY VERIFICATION OBJECTIVES
### 1.1 Core Guarantees
| Guarantee | Description | Target |
|-----------|-------------|--------|
| **Bitwise Fidelity** | Scan outputs are byte-identical offline vs online | 100% |
| **Semantic Fidelity** | Same vulnerabilities, severities, and verdicts | 100% |
| **Temporal Parity** | Same results given identical feed snapshots | 100% |
| **Policy Parity** | Same pass/fail decisions with identical policies | 100% |
### 1.2 What Parity Does NOT Cover
- **Feed freshness**: Offline feeds may be hours/days behind live feeds (by design)
- **Network-only enrichment**: EPSS lookups, live KEV checks (graceful degradation applies)
- **Transparency log submission**: Rekor entries created only when connected
---
## 2. TEST METHODOLOGY
### 2.1 Environment Configuration
#### Connected Environment
```yaml
environment:
mode: connected
network: enabled
feeds:
sources: [osv, ghsa, nvd]
refresh: live
rekor: enabled
epss: enabled
timestamp_source: ntp
```
#### Offline Environment
```yaml
environment:
mode: offline
network: disabled
feeds:
sources: [local-bundle]
refresh: none
rekor: offline-snapshot
epss: bundled-cache
timestamp_source: frozen
timestamp_value: "2025-12-14T00:00:00Z"
```
### 2.2 Test Procedure
```
PARITY VERIFICATION PROCEDURE v1.0
══════════════════════════════════
PHASE 1: BUNDLE CAPTURE (Connected Environment)
─────────────────────────────────────────────────
1. Capture current feed state:
- Record feed version/digest
- Snapshot EPSS scores (top 1000 CVEs)
- Record KEV list state
2. Run connected scan:
stellaops scan --image <test-image> \
--format json \
--output connected-scan.json \
--receipt connected-receipt.json
3. Export offline bundle:
stellaops offline bundle export \
--feeds-snapshot \
--epss-cache \
--output parity-bundle-$(date +%Y%m%d).tar.zst
PHASE 2: OFFLINE SCAN (Air-Gapped Environment)
───────────────────────────────────────────────
1. Import bundle:
stellaops offline bundle import parity-bundle-*.tar.zst
2. Freeze clock to bundle timestamp:
export STELLAOPS_DETERMINISM_TIMESTAMP="2025-12-14T00:00:00Z"
3. Run offline scan:
stellaops scan --image <test-image> \
--format json \
--output offline-scan.json \
--receipt offline-receipt.json \
--offline-mode
PHASE 3: PARITY COMPARISON
──────────────────────────
1. Compare findings digests:
diff <(jq -S '.findings | sort_by(.id)' connected-scan.json) \
<(jq -S '.findings | sort_by(.id)' offline-scan.json)
2. Compare policy decisions:
diff <(jq -S '.policyDecision' connected-scan.json) \
<(jq -S '.policyDecision' offline-scan.json)
3. Compare receipt input hashes:
jq '.inputHash' connected-receipt.json
jq '.inputHash' offline-receipt.json
# MUST be identical if same bundle used
PHASE 4: RECORD RESULTS
───────────────────────
1. Generate parity report:
stellaops parity report \
--connected connected-scan.json \
--offline offline-scan.json \
--output parity-report-$(date +%Y%m%d).json
```
### 2.3 Test Image Matrix
Run parity tests against this representative image set:
| Image | Category | Expected Vulns | Notes |
|-------|----------|----------------|-------|
| `alpine:3.19` | Minimal | ~5 | Fast baseline |
| `debian:12-slim` | Standard | ~40 | OS package focus |
| `node:20-alpine` | Application | ~100 | npm + OS packages |
| `python:3.12` | Application | ~150 | pip + OS packages |
| `dotnet/aspnet:8.0` | Application | ~75 | NuGet + OS packages |
| `postgres:16-alpine` | Database | ~70 | Database + OS |
---
## 3. COMPARISON CRITERIA
### 3.1 Bitwise Comparison
Compare canonical JSON outputs after normalization:
```bash
# Canonical comparison script
canonical_compare() {
local connected="$1"
local offline="$2"
# Normalize both outputs
jq -S . "$connected" > /tmp/connected-canonical.json
jq -S . "$offline" > /tmp/offline-canonical.json
# Compute hashes
CONNECTED_HASH=$(sha256sum /tmp/connected-canonical.json | cut -d' ' -f1)
OFFLINE_HASH=$(sha256sum /tmp/offline-canonical.json | cut -d' ' -f1)
if [[ "$CONNECTED_HASH" == "$OFFLINE_HASH" ]]; then
echo "PASS: Bitwise identical"
return 0
else
echo "FAIL: Hash mismatch"
echo " Connected: $CONNECTED_HASH"
echo " Offline: $OFFLINE_HASH"
diff --color /tmp/connected-canonical.json /tmp/offline-canonical.json
return 1
fi
}
```
### 3.2 Semantic Comparison
When bitwise comparison fails, perform semantic comparison:
| Field | Comparison Rule | Allowed Variance |
|-------|-----------------|------------------|
| `findings[].id` | Exact match | None |
| `findings[].severity` | Exact match | None |
| `findings[].cvss.score` | Exact match | None |
| `findings[].cvss.vector` | Exact match | None |
| `findings[].affected` | Exact match | None |
| `findings[].reachability` | Exact match | None |
| `sbom.components[].purl` | Exact match | None |
| `sbom.components[].version` | Exact match | None |
| `metadata.timestamp` | Ignored | Expected to differ |
| `metadata.scanId` | Ignored | Expected to differ |
| `metadata.environment` | Ignored | Expected to differ |
### 3.3 Fields Excluded from Comparison
These fields are expected to differ and are excluded from parity checks:
```json
{
"excludedFields": [
"$.metadata.scanId",
"$.metadata.timestamp",
"$.metadata.hostname",
"$.metadata.environment.network",
"$.attestations[*].rekorEntry",
"$.metadata.epssEnrichedAt"
]
}
```
### 3.4 Graceful Degradation Fields
Fields that may be absent in offline mode (acceptable):
| Field | Online | Offline | Parity Rule |
|-------|--------|---------|-------------|
| `epssScore` | Present | May be stale/absent | Check if bundled |
| `kevStatus` | Live | Bundled snapshot | Compare against bundle date |
| `rekorEntry` | Present | Absent | Exclude from comparison |
| `fulcioChain` | Present | Absent | Exclude from comparison |
---
## 4. AUTOMATED PARITY CI
### 4.1 CI Workflow
```yaml
# .gitea/workflows/offline-parity.yml
name: Offline Parity Verification
on:
schedule:
- cron: '0 3 * * 1' # Weekly Monday 3am
workflow_dispatch:
jobs:
parity-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '10.0.x'
- name: Set determinism environment
run: |
echo "TZ=UTC" >> $GITHUB_ENV
echo "LC_ALL=C" >> $GITHUB_ENV
echo "STELLAOPS_DETERMINISM_SEED=42" >> $GITHUB_ENV
- name: Capture connected baseline
run: scripts/parity/capture-connected.sh
- name: Export offline bundle
run: scripts/parity/export-bundle.sh
- name: Run offline scan (sandboxed)
run: |
docker run --network none \
-v $(pwd)/bundle:/bundle:ro \
-v $(pwd)/results:/results \
stellaops/scanner:latest \
scan --offline-mode --bundle /bundle
- name: Compare parity
run: scripts/parity/compare-parity.sh
- name: Upload parity report
uses: actions/upload-artifact@v4
with:
name: parity-report
path: results/parity-report-*.json
```
### 4.2 Parity Test Script
```bash
#!/bin/bash
# scripts/parity/compare-parity.sh
set -euo pipefail
CONNECTED_DIR="results/connected"
OFFLINE_DIR="results/offline"
REPORT_FILE="results/parity-report-$(date +%Y%m%d).json"
declare -a IMAGES=(
"alpine:3.19"
"debian:12-slim"
"node:20-alpine"
"python:3.12"
"mcr.microsoft.com/dotnet/aspnet:8.0"
"postgres:16-alpine"
)
TOTAL=0
PASSED=0
FAILED=0
RESULTS=()
for image in "${IMAGES[@]}"; do
TOTAL=$((TOTAL + 1))
image_hash=$(echo "$image" | sha256sum | cut -c1-12)
connected_file="${CONNECTED_DIR}/${image_hash}-scan.json"
offline_file="${OFFLINE_DIR}/${image_hash}-scan.json"
# Compare findings
connected_findings=$(jq -S '.findings | sort_by(.id) | map(del(.metadata.timestamp))' "$connected_file")
offline_findings=$(jq -S '.findings | sort_by(.id) | map(del(.metadata.timestamp))' "$offline_file")
connected_hash=$(echo "$connected_findings" | sha256sum | cut -d' ' -f1)
offline_hash=$(echo "$offline_findings" | sha256sum | cut -d' ' -f1)
if [[ "$connected_hash" == "$offline_hash" ]]; then
PASSED=$((PASSED + 1))
status="PASS"
else
FAILED=$((FAILED + 1))
status="FAIL"
fi
RESULTS+=("{\"image\":\"$image\",\"status\":\"$status\",\"connectedHash\":\"$connected_hash\",\"offlineHash\":\"$offline_hash\"}")
done
# Generate report
cat > "$REPORT_FILE" <<EOF
{
"reportDate": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"bundleVersion": "$(cat bundle/version.txt)",
"summary": {
"total": $TOTAL,
"passed": $PASSED,
"failed": $FAILED,
"parityRate": $(echo "scale=4; $PASSED / $TOTAL" | bc)
},
"results": [$(IFS=,; echo "${RESULTS[*]}")]
}
EOF
echo "Parity Report: $PASSED/$TOTAL passed ($(echo "scale=2; $PASSED * 100 / $TOTAL" | bc)%)"
if [[ $FAILED -gt 0 ]]; then
echo "PARITY VERIFICATION FAILED"
exit 1
fi
```
---
## 5. PARITY RESULTS
### 5.1 Latest Verification Results
| Date | Bundle Version | Images Tested | Parity Rate | Notes |
|------|---------------|---------------|-------------|-------|
| 2025-12-14 | 2025.12.0 | 6 | 100% | Baseline established |
| — | — | — | — | — |
### 5.2 Historical Parity Tracking
```sql
-- Query for parity trend analysis
SELECT
date_trunc('week', report_date) AS week,
AVG(parity_rate) AS avg_parity,
MIN(parity_rate) AS min_parity,
COUNT(*) AS test_runs
FROM parity_reports
WHERE report_date >= NOW() - INTERVAL '90 days'
GROUP BY 1
ORDER BY 1 DESC;
```
### 5.3 Parity Database Schema
```sql
CREATE TABLE scanner.parity_reports (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
report_date TIMESTAMPTZ NOT NULL,
bundle_version TEXT NOT NULL,
bundle_digest TEXT NOT NULL,
total_images INT NOT NULL,
passed_images INT NOT NULL,
failed_images INT NOT NULL,
parity_rate NUMERIC(5,4) NOT NULL,
results JSONB NOT NULL,
ci_run_id TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX idx_parity_reports_date ON scanner.parity_reports(report_date DESC);
CREATE INDEX idx_parity_reports_bundle ON scanner.parity_reports(bundle_version);
```
---
## 6. KNOWN LIMITATIONS
### 6.1 Acceptable Differences
| Scenario | Expected Behavior | Parity Impact |
|----------|-------------------|---------------|
| **EPSS scores** | Use bundled cache (may be stale) | None if cache bundled |
| **KEV status** | Use bundled snapshot | None if snapshot bundled |
| **Rekor entries** | Not created offline | Excluded from comparison |
| **Timestamp fields** | Differ by design | Excluded from comparison |
| **Network-only advisories** | Not available offline | Feed drift (documented) |
### 6.2 Known Edge Cases
1. **Race conditions during bundle capture**: If feeds update during bundle export, connected scan may include newer data than bundle. Mitigation: Capture bundle first, then run connected scan.
2. **Clock drift**: Offline environments with drifted clocks may compute different freshness scores. Mitigation: Always use frozen timestamps from bundle.
3. **Locale differences**: String sorting may differ across locales. Mitigation: Force `LC_ALL=C` in both environments.
4. **Floating point rounding**: CVSS v4 MacroVector interpolation may have micro-differences. Mitigation: Use integer basis points throughout.
### 6.3 Out of Scope
The following are intentionally NOT covered by parity verification:
- Real-time threat intelligence (requires network)
- Live vulnerability disclosure (requires network)
- Transparency log inclusion proofs (requires Rekor)
- OIDC/Fulcio certificate chains (requires network)
---
## 7. TROUBLESHOOTING
### 7.1 Common Parity Failures
| Symptom | Likely Cause | Resolution |
|---------|--------------|------------|
| Different vulnerability counts | Feed version mismatch | Verify bundle digest matches |
| Different CVSS scores | CVSS v4 calculation issue | Check MacroVector lookup parity |
| Different severity labels | Threshold configuration | Compare policy bundles |
| Missing EPSS data | EPSS cache not bundled | Re-export with `--epss-cache` |
| Different component counts | SBOM generation variance | Check analyzer versions |
### 7.2 Debug Commands
```bash
# Compare feed versions
stellaops feeds version --connected
stellaops feeds version --offline --bundle ./bundle
# Compare policy digests
stellaops policy digest --connected
stellaops policy digest --offline --bundle ./bundle
# Detailed diff of findings
stellaops parity diff \
--connected connected-scan.json \
--offline offline-scan.json \
--verbose
```
---
## 8. METRICS AND MONITORING
### 8.1 Prometheus Metrics
```
# Parity verification metrics
parity_test_total{status="pass|fail"}
parity_test_duration_seconds (histogram)
parity_bundle_age_seconds (gauge)
parity_findings_diff_count (gauge)
```
### 8.2 Alerting Rules
```yaml
groups:
- name: offline-parity
rules:
- alert: ParityTestFailed
expr: parity_test_total{status="fail"} > 0
for: 0m
labels:
severity: critical
annotations:
summary: "Offline parity test failed"
- alert: ParityRateDegraded
expr: |
(sum(parity_test_total{status="pass"}) /
sum(parity_test_total)) < 0.95
for: 1h
labels:
severity: warning
annotations:
summary: "Parity rate below 95%"
```
---
## 9. REFERENCES
- [Offline Update Kit (OUK)](../24_OFFLINE_KIT.md)
- [Offline and Air-Gap Technical Reference](../product-advisories/14-Dec-2025%20-%20Offline%20and%20Air-Gap%20Technical%20Reference.md)
- [Determinism and Reproducibility Technical Reference](../product-advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md)
- [Determinism CI Harness](../modules/scanner/design/determinism-ci-harness.md)
- [Performance Baselines](../benchmarks/performance-baselines.md)
---
**Document Version**: 1.0
**Target Platform**: .NET 10, PostgreSQL >=16

415
docs/airgap/proof-chain-verification.md Normal file
View File

@@ -0,0 +1,415 @@
# Proof Chain Verification in Air-Gap Mode
> **Version**: 1.0.0
> **Last Updated**: 2025-12-17
> **Related**: [Proof Chain API](../api/proofs.md), [Key Rotation Runbook](../operations/key-rotation-runbook.md)
This document describes how to verify proof chains in air-gapped (offline) environments where Rekor transparency log access is unavailable.
---
## Overview
Proof chains in StellaOps consist of cryptographically-linked attestations:
1. **Evidence statements** - Raw vulnerability findings
2. **Reasoning statements** - Policy evaluation traces
3. **VEX verdict statements** - Final vulnerability status determinations
4. **Proof spine** - Merkle tree aggregating all components
In online mode, proof chains include Rekor inclusion proofs for transparency. In air-gap mode, verification proceeds without Rekor but maintains cryptographic integrity.
---
## Verification Levels
### Level 1: Content-Addressed ID Verification
Verifies that content-addressed IDs match payload hashes.
```bash
# Verify a proof bundle ID
stellaops proof verify --offline \
--proof-bundle sha256:1a2b3c4d... \
--level content-id
# Expected output:
# ✓ Content-addressed ID verified
# ✓ Payload hash: sha256:1a2b3c4d...
```
### Level 2: DSSE Signature Verification
Verifies DSSE envelope signatures against trust anchors.
```bash
# Verify signatures with local trust anchors
stellaops proof verify --offline \
--proof-bundle sha256:1a2b3c4d... \
--anchor-file /path/to/trust-anchors.json \
--level signature
# Expected output:
# ✓ DSSE signature valid
# ✓ Signer: key-2025-prod
# ✓ Trust anchor: 550e8400-e29b-41d4-a716-446655440000
```
### Level 3: Merkle Path Verification
Verifies the proof spine merkle tree structure.
```bash
# Verify merkle paths
stellaops proof verify --offline \
--proof-bundle sha256:1a2b3c4d... \
--level merkle
# Expected output:
# ✓ Merkle root verified
# ✓ Evidence paths: 3/3 valid
# ✓ Reasoning path: valid
# ✓ VEX verdict path: valid
```
### Level 4: Full Verification (Offline)
Performs all verification steps except Rekor.
```bash
# Full offline verification
stellaops proof verify --offline \
--proof-bundle sha256:1a2b3c4d... \
--anchor-file /path/to/trust-anchors.json
# Expected output:
# Proof Chain Verification
# ═══════════════════════
# ✓ Content-addressed IDs verified
# ✓ DSSE signatures verified (3 envelopes)
# ✓ Merkle paths verified
# ⊘ Rekor verification skipped (offline mode)
#
# Overall: VERIFIED (offline)
```
---
## Trust Anchor Distribution
In air-gap environments, trust anchors must be distributed out-of-band.
### Export Trust Anchors
```bash
# On the online system, export trust anchors
stellaops anchor export --format json > trust-anchors.json
# Verify export integrity
sha256sum trust-anchors.json > trust-anchors.sha256
```
### Trust Anchor File Format
```json
{
"version": "1.0",
"exportedAt": "2025-12-17T00:00:00Z",
"anchors": [
{
"trustAnchorId": "550e8400-e29b-41d4-a716-446655440000",
"purlPattern": "pkg:*",
"allowedKeyids": ["key-2024-prod", "key-2025-prod"],
"allowedPredicateTypes": [
"evidence.stella/v1",
"reasoning.stella/v1",
"cdx-vex.stella/v1",
"proofspine.stella/v1"
],
"revokedKeys": ["key-2023-prod"],
"keyMaterial": {
"key-2024-prod": {
"algorithm": "ECDSA-P256",
"publicKey": "-----BEGIN PUBLIC KEY-----\n..."
},
"key-2025-prod": {
"algorithm": "ECDSA-P256",
"publicKey": "-----BEGIN PUBLIC KEY-----\n..."
}
}
}
]
}
```
### Import Trust Anchors
```bash
# On the air-gapped system
stellaops anchor import --file trust-anchors.json
# Verify import
stellaops anchor list
```
---
## Proof Bundle Distribution
### Export Proof Bundles
```bash
# Export a proof bundle for offline transfer
stellaops proof export \
--entry sha256:abc123:pkg:npm/lodash@4.17.21 \
--output proof-bundle.zip
# Bundle contents:
# proof-bundle.zip
# ├── proof-spine.json # The proof spine
# ├── evidence/ # Evidence statements
# │ ├── sha256_e1.json
# │ └── sha256_e2.json
# ├── reasoning.json # Reasoning statement
# ├── vex-verdict.json # VEX verdict statement
# ├── envelopes/ # DSSE envelopes
# │ ├── evidence-e1.dsse
# │ ├── evidence-e2.dsse
# │ ├── reasoning.dsse
# │ ├── vex-verdict.dsse
# │ └── proof-spine.dsse
# └── VERIFY.md # Verification instructions
```
### Verify Exported Bundle
```bash
# On the air-gapped system
stellaops proof verify --offline \
--bundle-file proof-bundle.zip \
--anchor-file trust-anchors.json
```
---
## Batch Verification
For audits, verify multiple proof bundles efficiently:
```bash
# Create a verification manifest
cat > verify-manifest.json << 'EOF'
{
"bundles": [
"sha256:1a2b3c4d...",
"sha256:5e6f7g8h...",
"sha256:9i0j1k2l..."
],
"options": {
"checkRekor": false,
"failFast": false
}
}
EOF
# Run batch verification
stellaops proof verify-batch \
--manifest verify-manifest.json \
--anchor-file trust-anchors.json \
--output verification-report.json
```
### Verification Report Format
```json
{
"verifiedAt": "2025-12-17T10:00:00Z",
"mode": "offline",
"anchorsUsed": ["550e8400..."],
"results": [
{
"proofBundleId": "sha256:1a2b3c4d...",
"verified": true,
"checks": {
"contentId": true,
"signature": true,
"merklePath": true,
"rekorInclusion": null
}
}
],
"summary": {
"total": 3,
"verified": 3,
"failed": 0,
"skipped": 0
}
}
```
---
## Key Rotation in Air-Gap Mode
When keys are rotated, trust anchor updates must be distributed:
### 1. Export Updated Anchors
```bash
# On online system after key rotation
stellaops anchor export --since 2025-01-01 > anchor-update.json
sha256sum anchor-update.json > anchor-update.sha256
```
### 2. Verify and Import Update
```bash
# On air-gapped system
sha256sum -c anchor-update.sha256
stellaops anchor import --file anchor-update.json --merge
# Verify key history
stellaops anchor show --anchor-id 550e8400... --show-history
```
### 3. Temporal Verification
When verifying old proofs after key rotation:
```bash
# Verify proof signed with now-revoked key
stellaops proof verify --offline \
--proof-bundle sha256:old-proof... \
--anchor-file trust-anchors.json \
--at-time "2024-06-15T12:00:00Z"
# The verification uses key validity at the specified time
```
---
## Manual Verification (No CLI)
For environments without the StellaOps CLI, manual verification is possible:
### 1. Verify Content-Addressed ID
```bash
# Extract payload from DSSE envelope
jq -r '.payload' proof-spine.dsse | base64 -d > payload.json
# Compute hash
sha256sum payload.json
# Compare with proof bundle ID
```
### 2. Verify DSSE Signature
```python
#!/usr/bin/env python3
import json
import base64
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.serialization import load_pem_public_key
def verify_dsse(envelope_path, public_key_pem):
"""Verify a DSSE envelope signature."""
with open(envelope_path) as f:
envelope = json.load(f)
payload_type = envelope['payloadType']
payload = base64.b64decode(envelope['payload'])
# Build PAE (Pre-Authentication Encoding)
pae = f"DSSEv1 {len(payload_type)} {payload_type} {len(payload)} ".encode() + payload
public_key = load_pem_public_key(public_key_pem.encode())
for sig in envelope['signatures']:
signature = base64.b64decode(sig['sig'])
try:
public_key.verify(signature, pae, ec.ECDSA(hashes.SHA256()))
print(f"✓ Signature valid for keyid: {sig['keyid']}")
return True
except Exception as e:
print(f"✗ Signature invalid: {e}")
return False
```
### 3. Verify Merkle Path
```python
#!/usr/bin/env python3
import json
import hashlib
def verify_merkle_path(leaf_hash, path, root_hash, leaf_index):
"""Verify a Merkle inclusion path."""
current = bytes.fromhex(leaf_hash)
index = leaf_index
for sibling in path:
sibling_bytes = bytes.fromhex(sibling)
if index % 2 == 0:
# Current is left child
combined = current + sibling_bytes
else:
# Current is right child
combined = sibling_bytes + current
current = hashlib.sha256(combined).digest()
index //= 2
computed_root = current.hex()
if computed_root == root_hash:
print("✓ Merkle path verified")
return True
else:
print(f"✗ Merkle root mismatch: {computed_root} != {root_hash}")
return False
```
---
## Exit Codes
Offline verification uses the same exit codes as online:
| Code | Meaning | CI/CD Action |
|------|---------|--------------|
| 0 | Verification passed | Proceed |
| 1 | Verification failed | Block |
| 2 | System error | Retry/investigate |
---
## Troubleshooting
### Missing Trust Anchor
```
Error: No trust anchor found for keyid "key-2025-prod"
```
**Solution**: Import updated trust anchors from online system.
### Key Not Valid at Time
```
Error: Key "key-2024-prod" was revoked at 2024-12-01, before proof signature at 2025-01-15
```
**Solution**: This indicates the proof was signed after key revocation. Investigate the signature timestamp.
### Merkle Path Invalid
```
Error: Merkle path verification failed for evidence sha256:e1...
```
**Solution**: The proof bundle may be corrupted. Re-export from online system.
---
## Related Documentation
- [Proof Chain API Reference](../api/proofs.md)
- [Key Rotation Runbook](../operations/key-rotation-runbook.md)
- [Portable Evidence Bundle Verification](portable-evidence-bundle-verification.md)
- [Offline Bundle Format](offline-bundle-format.md)

39
docs/airgap/runbooks/quarantine-investigation.md Normal file
View File

@@ -0,0 +1,39 @@
# AirGap Quarantine Investigation Runbook
## Purpose
Quarantine preserves failed bundle imports for offline forensic analysis. It keeps the original bundle and the verification context (reason + logs) so operators can diagnose tampering, trust-root drift, or packaging issues without re-running in an online environment.
## Location & Structure
Default root: `/updates/quarantine`
Per-tenant layout:
`/updates/quarantine/<tenantId>/<timestamp>-<reason>-<id>/`
Removal staging:
`/updates/quarantine/<tenantId>/.removed/<quarantineId>/`
## Files in a quarantine entry
- `bundle.tar.zst` - the original bundle as provided
- `manifest.json` - bundle manifest (when available)
- `verification.log` - validation step output (TUF/DSSE/Merkle/rotation/monotonicity, etc.)
- `failure-reason.txt` - human-readable failure summary (reason + timestamp + metadata)
- `quarantine.json` - structured metadata for listing/automation
## Investigation steps (offline)
1. Identify the tenant and locate the quarantine root on the importer host.
2. Pick the newest quarantine entry for the tenant (timestamp prefix).
3. Read `failure-reason.txt` first to capture the top-level reason and metadata.
4. Review `verification.log` for the precise failing step.
5. If needed, extract and inspect `bundle.tar.zst` in an isolated workspace (no network).
6. Decide whether the entry should be retained (for audit) or removed after investigation.
## Removal & Retention
- Removal requires a human-provided reason (audit trail). Implementations should use the quarantine services remove operation which moves entries under `.removed/`.
- Retention and quota controls are configured via `AirGap:Quarantine` settings (root, TTL, max size); TTL cleanup can remove entries older than the retention period.
## Common failure categories
- `tuf:*` - invalid/expired metadata or snapshot hash mismatch
- `dsse:*` - signature invalid or trust root mismatch
- `merkle-*` - payload entry set invalid or empty
- `rotation:*` - root rotation policy failure (dual approval, no-op rotation, etc.)
- `version-non-monotonic:*` - rollback prevention triggered (force activation requires a justification)

287
docs/airgap/smart-diff-airgap-workflows.md Normal file
View File

@@ -0,0 +1,287 @@
# Smart-Diff Air-Gap Workflows
**Sprint:** SPRINT_3500_0001_0001
**Task:** SDIFF-MASTER-0006 - Document air-gap workflows for smart-diff
## Overview
Smart-Diff can operate in fully air-gapped environments using offline bundles. This document describes the workflows for running smart-diff analysis without network connectivity.
## Prerequisites
1. **Offline Kit** - Downloaded and verified (`stellaops offline kit download`)
2. **Feed Snapshots** - Pre-staged vulnerability feeds
3. **SBOM Cache** - Pre-generated SBOMs for target artifacts
## Workflow 1: Offline Smart-Diff Analysis
### Step 1: Prepare Offline Bundle
On a connected machine:
```bash
# Download offline kit with feeds
stellaops offline kit download \
--output /path/to/offline-bundle \
--include-feeds nvd,osv,epss \
--feed-date 2025-01-15
# Include SBOMs for known artifacts
stellaops offline sbom generate \
--artifact registry.example.com/app:v1 \
--artifact registry.example.com/app:v2 \
--output /path/to/offline-bundle/sboms
# Package for transfer
stellaops offline kit package \
--input /path/to/offline-bundle \
--output stellaops-offline-2025-01-15.tar.gz \
--sign
```
### Step 2: Transfer to Air-Gapped Environment
Transfer the bundle using approved media:
- USB drive (scanned and approved)
- Optical media (DVD/Blu-ray)
- Data diode
### Step 3: Import Bundle
On the air-gapped machine:
```bash
# Verify bundle signature
stellaops offline kit verify \
--input stellaops-offline-2025-01-15.tar.gz \
--public-key /path/to/signing-key.pub
# Extract and configure
stellaops offline kit import \
--input stellaops-offline-2025-01-15.tar.gz \
--data-dir /opt/stellaops/data
```
### Step 4: Run Smart-Diff
```bash
# Set offline mode
export STELLAOPS_OFFLINE=true
export STELLAOPS_DATA_DIR=/opt/stellaops/data
# Run smart-diff
stellaops smart-diff \
--base sbom:app-v1.json \
--target sbom:app-v2.json \
--output smart-diff-report.json
```
## Workflow 2: Pre-Computed Smart-Diff Export
For environments where even running analysis tools is restricted.
### Step 1: Prepare Artifacts (Connected Machine)
```bash
# Generate SBOMs
stellaops sbom generate --artifact app:v1 --output app-v1-sbom.json
stellaops sbom generate --artifact app:v2 --output app-v2-sbom.json
# Run smart-diff with full proof bundle
stellaops smart-diff \
--base app-v1-sbom.json \
--target app-v2-sbom.json \
--output-dir ./smart-diff-export \
--include-proofs \
--include-evidence \
--format bundle
```
### Step 2: Verify Export Contents
The export bundle contains:
```
smart-diff-export/
├── manifest.json # Signed manifest
├── base-sbom.json # Base SBOM (hash verified)
├── target-sbom.json # Target SBOM (hash verified)
├── diff-results.json # Smart-diff findings
├── sarif-report.json # SARIF formatted output
├── proofs/
│ ├── ledger.json # Proof ledger
│ └── nodes/ # Individual proof nodes
├── evidence/
│ ├── reachability.json # Reachability evidence
│ ├── vex-statements.json # VEX statements
│ └── hardening.json # Binary hardening data
└── signature.dsse # DSSE envelope
```
### Step 3: Import and Verify (Air-Gapped Machine)
```bash
# Verify bundle integrity
stellaops verify-bundle \
--input smart-diff-export \
--public-key /path/to/trusted-key.pub
# View results
stellaops smart-diff show \
--bundle smart-diff-export \
--format table
```
## Workflow 3: Incremental Feed Updates
### Step 1: Generate Delta Feed
On connected machine:
```bash
# Generate delta since last sync
stellaops offline feed delta \
--since 2025-01-10 \
--output feed-delta-2025-01-15.tar.gz \
--sign
```
### Step 2: Apply Delta (Air-Gapped)
```bash
# Import delta
stellaops offline feed apply \
--input feed-delta-2025-01-15.tar.gz \
--verify
# Trigger score replay for affected scans
stellaops score replay-all \
--trigger feed-update \
--dry-run
```
## Configuration
### Environment Variables
| Variable | Description | Default |
|----------|-------------|---------|
| `STELLAOPS_OFFLINE` | Enable offline mode | `false` |
| `STELLAOPS_DATA_DIR` | Local data directory | `~/.stellaops` |
| `STELLAOPS_FEED_DIR` | Feed snapshot directory | `$DATA_DIR/feeds` |
| `STELLAOPS_SBOM_CACHE` | SBOM cache directory | `$DATA_DIR/sboms` |
| `STELLAOPS_SKIP_NETWORK` | Block network requests | `false` |
| `STELLAOPS_REQUIRE_SIGNATURES` | Require signed data | `true` |
### Config File
```yaml
# ~/.stellaops/config.yaml
offline:
enabled: true
data_dir: /opt/stellaops/data
require_signatures: true
feeds:
source: local
path: /opt/stellaops/data/feeds
sbom:
cache_dir: /opt/stellaops/data/sboms
network:
allow_list: [] # Empty = no network
```
## Verification
### Verify Feed Freshness
```bash
# Check feed dates
stellaops offline status
# Output:
# Feed Status (Offline Mode)
# ─────────────────────────────
# NVD: 2025-01-15 (2 days old)
# OSV: 2025-01-15 (2 days old)
# EPSS: 2025-01-14 (3 days old)
# KEV: 2025-01-15 (2 days old)
```
### Verify Proof Integrity
```bash
# Verify smart-diff proofs
stellaops smart-diff verify \
--input smart-diff-report.json \
--proof-bundle ./proofs
# Output:
# ✓ Manifest hash verified
# ✓ All proof nodes valid
# ✓ Root hash matches: sha256:abc123...
```
## Determinism Guarantees
Offline smart-diff maintains determinism by:
1. **Content-addressed feeds** - Same feed hash = same results
2. **Frozen timestamps** - All timestamps use manifest creation time
3. **No network randomness** - No external API calls
4. **Stable sorting** - Deterministic output ordering
### Reproducibility Test
```bash
# Run twice and compare
stellaops smart-diff --base a.json --target b.json --output run1.json
stellaops smart-diff --base a.json --target b.json --output run2.json
# Compare hashes
sha256sum run1.json run2.json
# abc123... run1.json
# abc123... run2.json (identical)
```
## Troubleshooting
### Error: Feed not found
```
Error: Feed 'nvd' not found in offline data directory
```
**Solution:** Ensure feed was included in offline kit:
```bash
stellaops offline kit status
ls $STELLAOPS_FEED_DIR/nvd/
```
### Error: Network request blocked
```
Error: Network request blocked in offline mode: api.osv.dev
```
**Solution:** This is expected behavior. Ensure all required data is in offline bundle.
### Error: Signature verification failed
```
Error: Bundle signature verification failed
```
**Solution:** Ensure correct public key is configured:
```bash
stellaops offline kit verify \
--input bundle.tar.gz \
--public-key /path/to/correct-key.pub
```
## Related Documentation
- [Offline Kit Guide](../10_OFFLINE_KIT.md)
- [Determinism Requirements](../product-advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md)
- [Smart-Diff API](../api/scanner-api.md)

366
docs/airgap/triage-airgap-workflows.md Normal file
View File

@@ -0,0 +1,366 @@
# Triage Air-Gap Workflows
**Sprint:** SPRINT_3600_0001_0001
**Task:** TRI-MASTER-0006 - Document air-gap triage workflows
## Overview
This document describes how to perform vulnerability triage in fully air-gapped environments. The triage workflow supports offline evidence bundles, decision capture, and replay token generation.
## Workflow 1: Offline Triage with Evidence Bundles
### Step 1: Export Evidence Bundle (Connected Machine)
```bash
# Export triage bundle for specific findings
stellaops triage export \
--scan-id scan-12345678 \
--findings CVE-2024-1234,CVE-2024-5678 \
--include-evidence \
--include-graph \
--output triage-bundle.stella.bundle.tgz
# Export entire scan for offline review
stellaops triage export \
--scan-id scan-12345678 \
--all-findings \
--output full-triage-bundle.stella.bundle.tgz
```
### Step 2: Bundle Contents
The `.stella.bundle.tgz` archive contains:
```
triage-bundle.stella.bundle.tgz/
├── manifest.json # Signed bundle manifest
├── findings/
│ ├── index.json # Finding list with IDs
│ ├── CVE-2024-1234.json # Finding details
│ └── CVE-2024-5678.json
├── evidence/
│ ├── reachability/ # Reachability proofs
│ ├── callstack/ # Call stack snippets
│ ├── vex/ # VEX/CSAF statements
│ └── provenance/ # Provenance data
├── graph/
│ ├── nodes.ndjson # Dependency graph nodes
│ └── edges.ndjson # Graph edges
├── feeds/
│ └── snapshot.json # Feed snapshot metadata
└── signature.dsse # DSSE envelope
```
### Step 3: Transfer to Air-Gapped Environment
Transfer using approved methods:
- USB media (security scanned)
- Optical media
- Data diode
### Step 4: Import and Verify
On the air-gapped machine:
```bash
# Verify bundle integrity
stellaops triage verify-bundle \
--input triage-bundle.stella.bundle.tgz \
--public-key /path/to/signing-key.pub
# Import for offline triage
stellaops triage import \
--input triage-bundle.stella.bundle.tgz \
--workspace /opt/stellaops/triage
```
### Step 5: Perform Offline Triage
```bash
# List findings in bundle
stellaops triage list \
--workspace /opt/stellaops/triage
# View finding with evidence
stellaops triage show CVE-2024-1234 \
--workspace /opt/stellaops/triage \
--show-evidence
# Make triage decision
stellaops triage decide CVE-2024-1234 \
--workspace /opt/stellaops/triage \
--status not_affected \
--justification "Code path is unreachable due to config gating" \
--reviewer "security-team"
```
### Step 6: Export Decisions
```bash
# Export decisions for sync back
stellaops triage export-decisions \
--workspace /opt/stellaops/triage \
--output decisions-2025-01-15.json \
--sign
```
### Step 7: Sync Decisions (Connected Machine)
```bash
# Import and apply decisions
stellaops triage import-decisions \
--input decisions-2025-01-15.json \
--verify \
--apply
```
## Workflow 2: Batch Offline Triage
For high-volume environments.
### Step 1: Export Batch Bundle
```bash
# Export all untriaged findings
stellaops triage export-batch \
--query "status=untriaged AND priority>=0.7" \
--limit 100 \
--output batch-triage-2025-01-15.stella.bundle.tgz
```
### Step 2: Offline Batch Processing
```bash
# Interactive batch triage
stellaops triage batch \
--workspace /opt/stellaops/triage \
--input batch-triage-2025-01-15.stella.bundle.tgz
# Keyboard shortcuts enabled:
# j/k - Next/Previous finding
# a - Accept (affected)
# n - Not affected
# w - Will not fix
# f - False positive
# u - Undo last decision
# q - Quit (saves progress)
```
### Step 3: Export and Sync
```bash
# Export batch decisions
stellaops triage export-decisions \
--workspace /opt/stellaops/triage \
--format json \
--sign \
--output batch-decisions.json
```
## Workflow 3: Evidence-First Offline Review
### Step 1: Pre-compute Evidence
On connected machine:
```bash
# Generate evidence for all high-priority findings
stellaops evidence generate \
--scan-id scan-12345678 \
--priority-min 0.7 \
--output-dir ./evidence-pack
# Include:
# - Reachability analysis
# - Call stack traces
# - VEX lookups
# - Dependency graph snippets
```
### Step 2: Package with Findings
```bash
stellaops triage package \
--scan-id scan-12345678 \
--evidence-dir ./evidence-pack \
--output evidence-triage.stella.bundle.tgz
```
### Step 3: Offline Review with Evidence
```bash
# Evidence-first view
stellaops triage show CVE-2024-1234 \
--workspace /opt/stellaops/triage \
--evidence-first
# Output:
# ═══════════════════════════════════════════
# CVE-2024-1234 · lodash@4.17.20
# ═══════════════════════════════════════════
#
# EVIDENCE SUMMARY
# ────────────────
# Reachability: EXECUTED (tier 2/3)
# └─ main.js:42 → utils.js:15 → lodash/merge
#
# Call Stack:
# 1. main.js:42 handleRequest()
# 2. utils.js:15 mergeConfig()
# 3. lodash:merge <vulnerable>
#
# VEX Status: No statement found
# EPSS: 0.45 (Medium)
# KEV: No
#
# ─────────────────────────────────────────────
# Press [a]ffected, [n]ot affected, [s]kip...
```
## Configuration
### Environment Variables
| Variable | Description | Default |
|----------|-------------|---------|
| `STELLAOPS_OFFLINE` | Enable offline mode | `false` |
| `STELLAOPS_TRIAGE_WORKSPACE` | Triage workspace path | `~/.stellaops/triage` |
| `STELLAOPS_BUNDLE_VERIFY` | Verify bundle signatures | `true` |
| `STELLAOPS_DECISION_SIGN` | Sign exported decisions | `true` |
### Config File
```yaml
# ~/.stellaops/triage.yaml
offline:
enabled: true
workspace: /opt/stellaops/triage
bundle_verify: true
decisions:
require_justification: true
sign_exports: true
keyboard:
enabled: true
vim_mode: true
```
## Bundle Format Specification
### manifest.json
```json
{
"version": "1.0",
"type": "triage-bundle",
"created_at": "2025-01-15T10:00:00Z",
"scan_id": "scan-12345678",
"finding_count": 25,
"feed_snapshot": "sha256:abc123...",
"graph_revision": "sha256:def456...",
"signatures": {
"manifest": "sha256:ghi789...",
"dsse_envelope": "signature.dsse"
}
}
```
### Decision Format
```json
{
"finding_id": "finding-12345678",
"vuln_key": "CVE-2024-1234:pkg:npm/lodash@4.17.20",
"status": "not_affected",
"justification": "Code path gated by feature flag",
"reviewer": "security-team",
"decided_at": "2025-01-15T14:30:00Z",
"replay_token": "rt_abc123...",
"evidence_refs": [
"evidence/reachability/CVE-2024-1234.json"
]
}
```
## Replay Tokens
Each decision generates a replay token for audit trail:
```bash
# View replay token
stellaops triage show-token rt_abc123...
# Output:
# Replay Token: rt_abc123...
# ─────────────────────────────
# Finding: CVE-2024-1234
# Decision: not_affected
# Evidence Hash: sha256:xyz789...
# Feed Snapshot: sha256:abc123...
# Decided: 2025-01-15T14:30:00Z
# Reviewer: security-team
```
### Verify Token
```bash
stellaops triage verify-token rt_abc123... \
--public-key /path/to/key.pub
# ✓ Token signature valid
# ✓ Evidence hash matches
# ✓ Feed snapshot verified
```
## Troubleshooting
### Error: Bundle signature invalid
```
Error: Bundle signature verification failed
```
**Solution:** Ensure the correct public key is used:
```bash
stellaops triage verify-bundle \
--input bundle.tgz \
--public-key /path/to/correct-key.pub \
--verbose
```
### Error: Evidence not found
```
Error: Evidence for CVE-2024-1234 not included in bundle
```
**Solution:** Re-export with evidence:
```bash
stellaops triage export \
--scan-id scan-12345678 \
--findings CVE-2024-1234 \
--include-evidence \
--output bundle.tgz
```
### Error: Decision sync conflict
```
Error: Finding CVE-2024-1234 has newer decision on server
```
**Solution:** Review and resolve:
```bash
stellaops triage import-decisions \
--input decisions.json \
--conflict-mode review
# Options: keep-local, keep-server, newest, review
```
## Related Documentation
- [Offline Kit Guide](../10_OFFLINE_KIT.md)
- [Triage API Reference](../api/triage-api.md)
- [Keyboard Shortcuts](../ui/keyboard-shortcuts.md)

2
docs/aoc/guard-library.md
View File

@@ -7,7 +7,7 @@
The Aggregation-Only Contract (AOC) guard library enforces the canonical ingestion The Aggregation-Only Contract (AOC) guard library enforces the canonical ingestion
rules described in `docs/ingestion/aggregation-only-contract.md`. Service owners rules described in `docs/ingestion/aggregation-only-contract.md`. Service owners
should use the guard whenever raw advisory or VEX payloads are accepted so that should use the guard whenever raw advisory or VEX payloads are accepted so that
forbidden fields are rejected long before they reach MongoDB. forbidden fields are rejected long before they reach PostgreSQL.
## Packages ## Packages

434
docs/api/evidence-decision-api.openapi.yaml Normal file
View File

@@ -0,0 +1,434 @@
openapi: 3.1.0
info:
title: StellaOps Evidence & Decision API
description: |
REST API for evidence retrieval and decision recording.
Sprint: SPRINT_3602_0001_0001
version: 1.0.0
license:
name: AGPL-3.0-or-later
url: https://www.gnu.org/licenses/agpl-3.0.html
servers:
- url: /v1
description: API v1
security:
- bearerAuth: []
paths:
/alerts:
get:
operationId: listAlerts
summary: List alerts with filtering and pagination
tags:
- Alerts
parameters:
- name: band
in: query
schema:
type: string
enum: [critical, high, medium, low, info]
- name: severity
in: query
schema:
type: string
- name: status
in: query
schema:
type: string
enum: [open, acknowledged, resolved, suppressed]
- name: artifactId
in: query
schema:
type: string
- name: vulnId
in: query
schema:
type: string
- name: componentPurl
in: query
schema:
type: string
- name: limit
in: query
schema:
type: integer
default: 50
maximum: 500
- name: offset
in: query
schema:
type: integer
default: 0
responses:
'200':
description: Alert list
content:
application/json:
schema:
$ref: '#/components/schemas/AlertListResponse'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
/alerts/{alertId}:
get:
operationId: getAlert
summary: Get alert details
tags:
- Alerts
parameters:
- $ref: '#/components/parameters/alertId'
responses:
'200':
description: Alert details
content:
application/json:
schema:
$ref: '#/components/schemas/AlertSummary'
'404':
$ref: '#/components/responses/NotFound'
/alerts/{alertId}/evidence:
get:
operationId: getAlertEvidence
summary: Get evidence bundle for an alert
tags:
- Evidence
parameters:
- $ref: '#/components/parameters/alertId'
responses:
'200':
description: Evidence payload
content:
application/json:
schema:
$ref: '#/components/schemas/EvidencePayloadResponse'
'404':
$ref: '#/components/responses/NotFound'
/alerts/{alertId}/decisions:
post:
operationId: recordDecision
summary: Record a decision for an alert
tags:
- Decisions
parameters:
- $ref: '#/components/parameters/alertId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DecisionRequest'
responses:
'201':
description: Decision recorded
content:
application/json:
schema:
$ref: '#/components/schemas/DecisionResponse'
'404':
$ref: '#/components/responses/NotFound'
'400':
$ref: '#/components/responses/BadRequest'
/alerts/{alertId}/audit:
get:
operationId: getAlertAudit
summary: Get audit timeline for an alert
tags:
- Audit
parameters:
- $ref: '#/components/parameters/alertId'
responses:
'200':
description: Audit timeline
content:
application/json:
schema:
$ref: '#/components/schemas/AuditTimelineResponse'
'404':
$ref: '#/components/responses/NotFound'
/alerts/{alertId}/bundle:
get:
operationId: downloadAlertBundle
summary: Download evidence bundle as tar.gz
tags:
- Bundles
parameters:
- $ref: '#/components/parameters/alertId'
responses:
'200':
description: Evidence bundle file
content:
application/gzip:
schema:
type: string
format: binary
'404':
$ref: '#/components/responses/NotFound'
/alerts/{alertId}/bundle/verify:
post:
operationId: verifyAlertBundle
summary: Verify evidence bundle integrity
tags:
- Bundles
parameters:
- $ref: '#/components/parameters/alertId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/BundleVerificationRequest'
responses:
'200':
description: Verification result
content:
application/json:
schema:
$ref: '#/components/schemas/BundleVerificationResponse'
'404':
$ref: '#/components/responses/NotFound'
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
parameters:
alertId:
name: alertId
in: path
required: true
schema:
type: string
description: Alert identifier
responses:
BadRequest:
description: Bad request
content:
application/problem+json:
schema:
$ref: '#/components/schemas/ProblemDetails'
Unauthorized:
description: Unauthorized
NotFound:
description: Resource not found
schemas:
AlertListResponse:
type: object
required:
- items
- total_count
properties:
items:
type: array
items:
$ref: '#/components/schemas/AlertSummary'
total_count:
type: integer
next_page_token:
type: string
AlertSummary:
type: object
required:
- alert_id
- artifact_id
- vuln_id
- severity
- band
- status
- created_at
properties:
alert_id:
type: string
artifact_id:
type: string
vuln_id:
type: string
component_purl:
type: string
severity:
type: string
band:
type: string
enum: [critical, high, medium, low, info]
status:
type: string
enum: [open, acknowledged, resolved, suppressed]
score:
type: number
format: double
created_at:
type: string
format: date-time
updated_at:
type: string
format: date-time
decision_count:
type: integer
EvidencePayloadResponse:
type: object
required:
- alert_id
properties:
alert_id:
type: string
reachability:
$ref: '#/components/schemas/EvidenceSection'
callstack:
$ref: '#/components/schemas/EvidenceSection'
vex:
$ref: '#/components/schemas/EvidenceSection'
EvidenceSection:
type: object
properties:
data:
type: object
hash:
type: string
source:
type: string
DecisionRequest:
type: object
required:
- decision
- rationale
properties:
decision:
type: string
enum: [accept_risk, mitigate, suppress, escalate]
rationale:
type: string
minLength: 10
maxLength: 2000
justification_code:
type: string
metadata:
type: object
DecisionResponse:
type: object
required:
- decision_id
- alert_id
- decision
- recorded_at
properties:
decision_id:
type: string
alert_id:
type: string
decision:
type: string
rationale:
type: string
recorded_at:
type: string
format: date-time
recorded_by:
type: string
replay_token:
type: string
AuditTimelineResponse:
type: object
required:
- alert_id
- events
- total_count
properties:
alert_id:
type: string
events:
type: array
items:
$ref: '#/components/schemas/AuditEvent'
total_count:
type: integer
AuditEvent:
type: object
required:
- event_id
- event_type
- timestamp
properties:
event_id:
type: string
event_type:
type: string
timestamp:
type: string
format: date-time
actor:
type: string
details:
type: object
replay_token:
type: string
BundleVerificationRequest:
type: object
required:
- bundle_hash
properties:
bundle_hash:
type: string
description: SHA-256 hash of the bundle
signature:
type: string
description: Optional DSSE signature
BundleVerificationResponse:
type: object
required:
- alert_id
- is_valid
- verified_at
properties:
alert_id:
type: string
is_valid:
type: boolean
verified_at:
type: string
format: date-time
signature_valid:
type: boolean
hash_valid:
type: boolean
chain_valid:
type: boolean
errors:
type: array
items:
type: string
ProblemDetails:
type: object
properties:
type:
type: string
title:
type: string
status:
type: integer
detail:
type: string
instance:
type: string

102
docs/api/orchestrator-first-signal.md Normal file
View File

@@ -0,0 +1,102 @@
# Orchestrator · First Signal API
Provides a fast “first meaningful signal” for a run (TTFS), with caching and ETag-based conditional requests.
## Endpoint
`GET /api/v1/orchestrator/runs/{runId}/first-signal`
### Required headers
- `X-Tenant-Id`: tenant identifier (string)
### Optional headers
- `If-None-Match`: weak ETag from a previous 200 response (supports multiple values)
## Responses
### 200 OK
Returns the first signal payload and a weak ETag.
Response headers:
- `ETag`: weak ETag (for `If-None-Match`)
- `Cache-Control: private, max-age=60`
- `Cache-Status: hit|miss`
- `X-FirstSignal-Source: snapshot|cold_start` (best-effort diagnostics)
Body (`application/json`):
```json
{
"runId": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"firstSignal": {
"type": "started",
"stage": "unknown",
"step": null,
"message": "Run started",
"at": "2025-12-15T12:00:10+00:00",
"artifact": { "kind": "run", "range": null }
},
"summaryEtag": "W/\"...\""
}
```
### 204 No Content
Run exists but no signal is available yet (e.g., run has no jobs).
### 304 Not Modified
Returned when `If-None-Match` matches the current ETag.
### 404 Not Found
Run does not exist for the resolved tenant.
### 400 Bad Request
Missing/invalid tenant header or invalid parameters.
## ETag semantics
- Weak ETags are computed from a deterministic, canonical hash of the stable signal content.
- Per-request diagnostics (e.g., cache hit/miss) are intentionally excluded from the ETag material.
## Streaming (SSE)
The run stream emits `first_signal` events when the signal changes:
`GET /api/v1/orchestrator/stream/runs/{runId}`
Event type:
- `first_signal`
Payload shape:
```json
{
"runId": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"etag": "W/\"...\"",
"signal": { "version": "1.0", "signalId": "...", "jobId": "...", "timestamp": "...", "kind": 1, "phase": 6, "scope": { "type": "run", "id": "..." }, "summary": "...", "etaSeconds": null, "lastKnownOutcome": null, "nextActions": null, "diagnostics": { "cacheHit": false, "source": "cold_start", "correlationId": "" } }
}
```
## Configuration
`appsettings.json`:
```json
{
"FirstSignal": {
"Cache": {
"Backend": "inmemory",
"TtlSeconds": 86400,
"SlidingExpiration": true,
"KeyPrefix": "orchestrator:first_signal:"
},
"ColdPath": {
"TimeoutMs": 3000
},
"SnapshotWriter": {
"Enabled": false,
"TenantId": null,
"PollIntervalSeconds": 10,
"MaxRunsPerTick": 50,
"LookbackMinutes": 60
}
},
"messaging": {
"transport": "inmemory"
}
}
```

622
docs/api/proofs-openapi.yaml Normal file
View File

@@ -0,0 +1,622 @@
openapi: 3.1.0
info:
title: StellaOps Proof Chain API
version: 1.0.0
description: |
API for proof chain operations including proof spine creation, verification receipts,
VEX attestations, and trust anchor management.
The proof chain provides cryptographic evidence linking SBOM entries to vulnerability
assessments through attestable DSSE envelopes.
license:
name: AGPL-3.0-or-later
url: https://www.gnu.org/licenses/agpl-3.0.html
servers:
- url: https://api.stellaops.dev/v1
description: Production API
- url: http://localhost:5000/v1
description: Local development
tags:
- name: Proofs
description: Proof spine and receipt operations
- name: Anchors
description: Trust anchor management
- name: Verify
description: Proof verification endpoints
paths:
/proofs/{entry}/spine:
post:
operationId: createProofSpine
summary: Create proof spine for SBOM entry
description: |
Assembles a merkle-rooted proof spine from evidence, reasoning, and VEX verdict
for an SBOM entry. Returns a content-addressed proof bundle ID.
tags: [Proofs]
security:
- bearerAuth: []
- mtls: []
parameters:
- name: entry
in: path
required: true
schema:
type: string
pattern: '^sha256:[a-f0-9]{64}:pkg:.+'
description: SBOMEntryID in format sha256:<hash>:pkg:<purl>
example: "sha256:abc123...def:pkg:npm/lodash@4.17.21"
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateSpineRequest'
responses:
'201':
description: Proof spine created successfully
content:
application/json:
schema:
$ref: '#/components/schemas/CreateSpineResponse'
'400':
$ref: '#/components/responses/BadRequest'
'404':
$ref: '#/components/responses/NotFound'
'422':
$ref: '#/components/responses/ValidationError'
get:
operationId: getProofSpine
summary: Get proof spine for SBOM entry
description: Retrieves the existing proof spine for an SBOM entry.
tags: [Proofs]
security:
- bearerAuth: []
parameters:
- name: entry
in: path
required: true
schema:
type: string
pattern: '^sha256:[a-f0-9]{64}:pkg:.+'
description: SBOMEntryID
responses:
'200':
description: Proof spine retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/ProofSpineDto'
'404':
$ref: '#/components/responses/NotFound'
/proofs/{entry}/receipt:
get:
operationId: getProofReceipt
summary: Get verification receipt
description: |
Retrieves a verification receipt for the SBOM entry's proof spine.
The receipt includes merkle proof paths and signature verification status.
tags: [Proofs]
security:
- bearerAuth: []
parameters:
- name: entry
in: path
required: true
schema:
type: string
pattern: '^sha256:[a-f0-9]{64}:pkg:.+'
description: SBOMEntryID
responses:
'200':
description: Verification receipt
content:
application/json:
schema:
$ref: '#/components/schemas/VerificationReceiptDto'
'404':
$ref: '#/components/responses/NotFound'
/proofs/{entry}/vex:
get:
operationId: getProofVex
summary: Get VEX attestation for entry
description: Retrieves the VEX verdict attestation for the SBOM entry.
tags: [Proofs]
security:
- bearerAuth: []
parameters:
- name: entry
in: path
required: true
schema:
type: string
pattern: '^sha256:[a-f0-9]{64}:pkg:.+'
description: SBOMEntryID
responses:
'200':
description: VEX attestation
content:
application/json:
schema:
$ref: '#/components/schemas/VexAttestationDto'
'404':
$ref: '#/components/responses/NotFound'
/anchors:
get:
operationId: listAnchors
summary: List trust anchors
description: Lists all configured trust anchors with their status.
tags: [Anchors]
security:
- bearerAuth: []
responses:
'200':
description: List of trust anchors
content:
application/json:
schema:
type: object
properties:
anchors:
type: array
items:
$ref: '#/components/schemas/TrustAnchorDto'
post:
operationId: createAnchor
summary: Create trust anchor
description: Creates a new trust anchor with the specified public key.
tags: [Anchors]
security:
- bearerAuth: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateAnchorRequest'
responses:
'201':
description: Trust anchor created
content:
application/json:
schema:
$ref: '#/components/schemas/TrustAnchorDto'
'400':
$ref: '#/components/responses/BadRequest'
'409':
description: Anchor already exists
/anchors/{anchorId}:
get:
operationId: getAnchor
summary: Get trust anchor
description: Retrieves a specific trust anchor by ID.
tags: [Anchors]
security:
- bearerAuth: []
parameters:
- name: anchorId
in: path
required: true
schema:
type: string
description: Trust anchor ID
responses:
'200':
description: Trust anchor details
content:
application/json:
schema:
$ref: '#/components/schemas/TrustAnchorDto'
'404':
$ref: '#/components/responses/NotFound'
delete:
operationId: deleteAnchor
summary: Delete trust anchor
description: Deletes a trust anchor (soft delete, marks as revoked).
tags: [Anchors]
security:
- bearerAuth: []
parameters:
- name: anchorId
in: path
required: true
schema:
type: string
description: Trust anchor ID
responses:
'204':
description: Anchor deleted
'404':
$ref: '#/components/responses/NotFound'
/verify:
post:
operationId: verifyProofBundle
summary: Verify proof bundle
description: |
Performs full verification of a proof bundle including:
- DSSE signature verification
- Content-addressed ID recomputation
- Merkle path verification
- Optional Rekor inclusion proof verification
tags: [Verify]
security:
- bearerAuth: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/VerifyRequest'
responses:
'200':
description: Verification result
content:
application/json:
schema:
$ref: '#/components/schemas/VerificationResultDto'
'400':
$ref: '#/components/responses/BadRequest'
/verify/batch:
post:
operationId: verifyBatch
summary: Verify multiple proof bundles
description: Performs batch verification of multiple proof bundles.
tags: [Verify]
security:
- bearerAuth: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- bundles
properties:
bundles:
type: array
items:
$ref: '#/components/schemas/VerifyRequest'
maxItems: 100
responses:
'200':
description: Batch verification results
content:
application/json:
schema:
type: object
properties:
results:
type: array
items:
$ref: '#/components/schemas/VerificationResultDto'
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
description: Authority-issued OpToken
mtls:
type: mutualTLS
description: Mutual TLS with client certificate
schemas:
CreateSpineRequest:
type: object
required:
- evidenceIds
- reasoningId
- vexVerdictId
- policyVersion
properties:
evidenceIds:
type: array
description: Content-addressed IDs of evidence statements
items:
type: string
pattern: '^sha256:[a-f0-9]{64}$'
minItems: 1
example: ["sha256:e7f8a9b0c1d2..."]
reasoningId:
type: string
pattern: '^sha256:[a-f0-9]{64}$'
description: Content-addressed ID of reasoning statement
example: "sha256:f0e1d2c3b4a5..."
vexVerdictId:
type: string
pattern: '^sha256:[a-f0-9]{64}$'
description: Content-addressed ID of VEX verdict statement
example: "sha256:d4c5b6a7e8f9..."
policyVersion:
type: string
pattern: '^v[0-9]+\.[0-9]+\.[0-9]+$'
description: Version of the policy used
example: "v1.2.3"
CreateSpineResponse:
type: object
required:
- proofBundleId
properties:
proofBundleId:
type: string
pattern: '^sha256:[a-f0-9]{64}$'
description: Content-addressed ID of the created proof bundle (merkle root)
example: "sha256:1a2b3c4d5e6f..."
receiptUrl:
type: string
format: uri
description: URL to retrieve the verification receipt
example: "/proofs/sha256:abc:pkg:npm/lodash@4.17.21/receipt"
ProofSpineDto:
type: object
required:
- sbomEntryId
- proofBundleId
- evidenceIds
- reasoningId
- vexVerdictId
- policyVersion
- createdAt
properties:
sbomEntryId:
type: string
description: The SBOM entry this spine covers
proofBundleId:
type: string
description: Merkle root hash of the proof bundle
evidenceIds:
type: array
items:
type: string
description: Sorted list of evidence IDs
reasoningId:
type: string
description: Reasoning statement ID
vexVerdictId:
type: string
description: VEX verdict statement ID
policyVersion:
type: string
description: Policy version used
createdAt:
type: string
format: date-time
description: Creation timestamp (UTC ISO-8601)
VerificationReceiptDto:
type: object
required:
- graphRevisionId
- findingKey
- decision
- createdAt
- verified
properties:
graphRevisionId:
type: string
description: Graph revision ID this receipt was computed from
findingKey:
type: object
properties:
sbomEntryId:
type: string
vulnerabilityId:
type: string
rule:
type: object
properties:
id:
type: string
version:
type: string
decision:
type: object
properties:
verdict:
type: string
enum: [pass, fail, warn, skip]
severity:
type: string
reasoning:
type: string
createdAt:
type: string
format: date-time
verified:
type: boolean
description: Whether the receipt signature verified correctly
VexAttestationDto:
type: object
required:
- sbomEntryId
- vulnerabilityId
- status
- vexVerdictId
properties:
sbomEntryId:
type: string
vulnerabilityId:
type: string
status:
type: string
enum: [not_affected, affected, fixed, under_investigation]
justification:
type: string
policyVersion:
type: string
reasoningId:
type: string
vexVerdictId:
type: string
TrustAnchorDto:
type: object
required:
- id
- keyId
- algorithm
- status
- createdAt
properties:
id:
type: string
description: Unique anchor identifier
keyId:
type: string
description: Key identifier (fingerprint)
algorithm:
type: string
enum: [ECDSA-P256, Ed25519, RSA-2048, RSA-4096]
description: Signing algorithm
publicKey:
type: string
description: PEM-encoded public key
status:
type: string
enum: [active, revoked, expired]
createdAt:
type: string
format: date-time
revokedAt:
type: string
format: date-time
CreateAnchorRequest:
type: object
required:
- keyId
- algorithm
- publicKey
properties:
keyId:
type: string
description: Key identifier
algorithm:
type: string
enum: [ECDSA-P256, Ed25519, RSA-2048, RSA-4096]
publicKey:
type: string
description: PEM-encoded public key
VerifyRequest:
type: object
required:
- proofBundleId
properties:
proofBundleId:
type: string
pattern: '^sha256:[a-f0-9]{64}$'
description: The proof bundle ID to verify
checkRekor:
type: boolean
default: true
description: Whether to verify Rekor inclusion proofs
anchorIds:
type: array
items:
type: string
description: Specific trust anchors to use for verification
VerificationResultDto:
type: object
required:
- proofBundleId
- verified
- checks
properties:
proofBundleId:
type: string
verified:
type: boolean
description: Overall verification result
checks:
type: object
properties:
signatureValid:
type: boolean
description: DSSE signature verification passed
idRecomputed:
type: boolean
description: Content-addressed IDs recomputed correctly
merklePathValid:
type: boolean
description: Merkle path verification passed
rekorInclusionValid:
type: boolean
description: Rekor inclusion proof verified (if checked)
errors:
type: array
items:
type: string
description: Error messages if verification failed
verifiedAt:
type: string
format: date-time
responses:
BadRequest:
description: Invalid request
content:
application/problem+json:
schema:
type: object
properties:
title:
type: string
detail:
type: string
status:
type: integer
example: 400
NotFound:
description: Resource not found
content:
application/problem+json:
schema:
type: object
properties:
title:
type: string
detail:
type: string
status:
type: integer
example: 404
ValidationError:
description: Validation error
content:
application/problem+json:
schema:
type: object
properties:
title:
type: string
detail:
type: string
status:
type: integer
example: 422
errors:
type: object
additionalProperties:
type: array
items:
type: string

333
docs/api/proofs.md Normal file
View File

@@ -0,0 +1,333 @@
# Proof Chain API Reference
> **Version**: 1.0.0
> **OpenAPI Spec**: [`proofs-openapi.yaml`](./proofs-openapi.yaml)
The Proof Chain API provides endpoints for creating and verifying cryptographic proof bundles that link SBOM entries to vulnerability assessments through attestable DSSE envelopes.
---
## Overview
The proof chain creates an auditable, cryptographically-verifiable trail from vulnerability evidence through policy reasoning to VEX verdicts. Each component is signed with DSSE envelopes and aggregated into a merkle-rooted proof spine.
### Proof Chain Components
| Component | Predicate Type | Purpose |
|-----------|----------------|---------|
| **Evidence** | `evidence.stella/v1` | Raw findings from scanners/feeds |
| **Reasoning** | `reasoning.stella/v1` | Policy evaluation trace |
| **VEX Verdict** | `cdx-vex.stella/v1` | Final VEX status determination |
| **Proof Spine** | `proofspine.stella/v1` | Merkle aggregation of all components |
| **Verdict Receipt** | `verdict.stella/v1` | Human-readable verification receipt |
### Content-Addressed IDs
All proof chain components use content-addressed identifiers:
```
Format: sha256:<64-hex-chars>
Example: sha256:e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6...
```
IDs are computed by:
1. Canonicalizing the JSON payload (RFC 8785/JCS)
2. Computing SHA-256 hash
3. Prefixing with `sha256:`
---
## Authentication
All endpoints require authentication via:
- **Bearer Token**: Authority-issued OpToken with appropriate scopes
- **mTLS**: Mutual TLS with client certificate (service-to-service)
Required scopes:
- `proofs.read` - Read proof bundles and receipts
- `proofs.write` - Create proof spines
- `anchors.manage` - Manage trust anchors
- `proofs.verify` - Perform verification
---
## Endpoints
### Proofs
#### POST /proofs/{entry}/spine
Create a proof spine for an SBOM entry.
**Parameters:**
- `entry` (path, required): SBOMEntryID in format `sha256:<hash>:pkg:<purl>`
**Request Body:**
```json
{
"evidenceIds": ["sha256:e7f8a9b0..."],
"reasoningId": "sha256:f0e1d2c3...",
"vexVerdictId": "sha256:d4c5b6a7...",
"policyVersion": "v1.2.3"
}
```
**Response (201 Created):**
```json
{
"proofBundleId": "sha256:1a2b3c4d...",
"receiptUrl": "/proofs/sha256:abc:pkg:npm/lodash@4.17.21/receipt"
}
```
**Errors:**
- `400 Bad Request`: Invalid SBOM entry ID format
- `404 Not Found`: Evidence, reasoning, or VEX verdict not found
- `422 Unprocessable Entity`: Validation error
---
#### GET /proofs/{entry}/spine
Get the proof spine for an SBOM entry.
**Parameters:**
- `entry` (path, required): SBOMEntryID
**Response (200 OK):**
```json
{
"sbomEntryId": "sha256:abc123:pkg:npm/lodash@4.17.21",
"proofBundleId": "sha256:1a2b3c4d...",
"evidenceIds": ["sha256:e7f8a9b0..."],
"reasoningId": "sha256:f0e1d2c3...",
"vexVerdictId": "sha256:d4c5b6a7...",
"policyVersion": "v1.2.3",
"createdAt": "2025-12-17T10:00:00Z"
}
```
---
#### GET /proofs/{entry}/receipt
Get the verification receipt for an SBOM entry's proof spine.
**Response (200 OK):**
```json
{
"graphRevisionId": "grv_sha256:9f8e7d6c...",
"findingKey": {
"sbomEntryId": "sha256:abc123:pkg:npm/lodash@4.17.21",
"vulnerabilityId": "CVE-2025-1234"
},
"rule": {
"id": "critical-vuln-block",
"version": "v1.0.0"
},
"decision": {
"verdict": "pass",
"severity": "none",
"reasoning": "Not affected - vulnerable code not present"
},
"createdAt": "2025-12-17T10:00:00Z",
"verified": true
}
```
---
#### GET /proofs/{entry}/vex
Get the VEX attestation for an SBOM entry.
**Response (200 OK):**
```json
{
"sbomEntryId": "sha256:abc123:pkg:npm/lodash@4.17.21",
"vulnerabilityId": "CVE-2025-1234",
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"policyVersion": "v1.2.3",
"reasoningId": "sha256:f0e1d2c3...",
"vexVerdictId": "sha256:d4c5b6a7..."
}
```
---
### Trust Anchors
#### GET /anchors
List all configured trust anchors.
**Response (200 OK):**
```json
{
"anchors": [
{
"id": "anchor-001",
"keyId": "sha256:abc123...",
"algorithm": "ECDSA-P256",
"status": "active",
"createdAt": "2025-01-01T00:00:00Z"
}
]
}
```
---
#### POST /anchors
Create a new trust anchor.
**Request Body:**
```json
{
"keyId": "sha256:abc123...",
"algorithm": "ECDSA-P256",
"publicKey": "-----BEGIN PUBLIC KEY-----\n..."
}
```
**Response (201 Created):**
```json
{
"id": "anchor-002",
"keyId": "sha256:abc123...",
"algorithm": "ECDSA-P256",
"status": "active",
"createdAt": "2025-12-17T10:00:00Z"
}
```
---
#### DELETE /anchors/{anchorId}
Delete (revoke) a trust anchor.
**Response:** `204 No Content`
---
### Verification
#### POST /verify
Perform full verification of a proof bundle.
**Request Body:**
```json
{
"proofBundleId": "sha256:1a2b3c4d...",
"checkRekor": true,
"anchorIds": ["anchor-001"]
}
```
**Response (200 OK):**
```json
{
"proofBundleId": "sha256:1a2b3c4d...",
"verified": true,
"checks": {
"signatureValid": true,
"idRecomputed": true,
"merklePathValid": true,
"rekorInclusionValid": true
},
"errors": [],
"verifiedAt": "2025-12-17T10:00:00Z"
}
```
**Verification Steps:**
1. **Signature Verification**: Verify DSSE envelope signatures against trust anchors
2. **ID Recomputation**: Recompute content-addressed IDs and compare
3. **Merkle Path Verification**: Verify proof bundle merkle tree construction
4. **Rekor Inclusion**: Verify transparency log inclusion proof (if enabled)
---
#### POST /verify/batch
Verify multiple proof bundles in a single request.
**Request Body:**
```json
{
"bundles": [
{ "proofBundleId": "sha256:1a2b3c4d...", "checkRekor": true },
{ "proofBundleId": "sha256:5e6f7g8h...", "checkRekor": false }
]
}
```
**Response (200 OK):**
```json
{
"results": [
{ "proofBundleId": "sha256:1a2b3c4d...", "verified": true, "checks": {...} },
{ "proofBundleId": "sha256:5e6f7g8h...", "verified": false, "errors": ["..."] }
]
}
```
---
## Error Handling
All errors follow RFC 7807 Problem Details format:
```json
{
"title": "Validation Error",
"detail": "Evidence ID sha256:abc... not found",
"status": 422,
"errors": {
"evidenceIds[0]": ["Evidence not found"]
}
}
```
### Common Error Codes
| Status | Meaning |
|--------|---------|
| 400 | Invalid request format or parameters |
| 401 | Authentication required |
| 403 | Insufficient permissions |
| 404 | Resource not found |
| 409 | Conflict (e.g., anchor already exists) |
| 422 | Validation error |
| 500 | Internal server error |
---
## Offline Verification
For air-gapped environments, verification can be performed without Rekor:
```json
{
"proofBundleId": "sha256:1a2b3c4d...",
"checkRekor": false
}
```
This skips Rekor inclusion proof verification but still performs:
- DSSE signature verification
- Content-addressed ID recomputation
- Merkle path verification
---
## Related Documentation
- [Proof Chain Predicates](../modules/attestor/architecture.md#predicate-types) - DSSE predicate type specifications
- [Content-Addressed IDs](../modules/attestor/architecture.md#content-addressed-identifier-formats) - ID generation rules
- [Attestor Architecture](../modules/attestor/architecture.md) - Full attestor module documentation

682
docs/api/scanner-score-proofs-api.md Normal file
View File

@@ -0,0 +1,682 @@
# Scanner WebService API — Score Proofs & Reachability Extensions
**Version**: 2.0
**Base URL**: `/api/v1/scanner`
**Authentication**: Bearer token (OpTok with DPoP/mTLS)
**Sprint**: SPRINT_3500_0002_0003, SPRINT_3500_0003_0003
---
## Overview
This document specifies API extensions to `Scanner.WebService` for:
1. Scan manifests and deterministic replay
2. Proof bundles (score proofs + reachability evidence)
3. Call-graph ingestion and reachability analysis
4. Unknowns management
**Design Principles**:
- All endpoints return canonical JSON (deterministic serialization)
- Idempotency via `Content-Digest` headers (SHA-256)
- DSSE signatures returned for all proof artifacts
- Offline-first (bundles downloadable for air-gap verification)
---
## Endpoints
### 1. Create Scan with Manifest
**POST** `/api/v1/scanner/scans`
**Description**: Creates a new scan with deterministic manifest.
**Request Body**:
```json
{
"artifactDigest": "sha256:abc123...",
"artifactPurl": "pkg:oci/myapp@sha256:abc123...",
"scannerVersion": "1.0.0",
"workerVersion": "1.0.0",
"concelierSnapshotHash": "sha256:feed123...",
"excititorSnapshotHash": "sha256:vex456...",
"latticePolicyHash": "sha256:policy789...",
"deterministic": true,
"seed": "AQIDBA==", // base64-encoded 32 bytes
"knobs": {
"maxDepth": "10",
"indirectCallResolution": "conservative"
}
}
```
**Response** (201 Created):
```json
{
"scanId": "550e8400-e29b-41d4-a716-446655440000",
"manifestHash": "sha256:manifest123...",
"createdAt": "2025-12-17T12:00:00Z",
"_links": {
"self": "/api/v1/scanner/scans/550e8400-e29b-41d4-a716-446655440000",
"manifest": "/api/v1/scanner/scans/550e8400-e29b-41d4-a716-446655440000/manifest"
}
}
```
**Headers**:
- `Content-Digest`: `sha256=<base64-hash>` (idempotency key)
- `Location`: `/api/v1/scanner/scans/{scanId}`
**Errors**:
- `400 Bad Request` — Invalid manifest (missing required fields)
- `409 Conflict` — Scan with same `manifestHash` already exists
- `422 Unprocessable Entity` — Snapshot hashes not found in Concelier/Excititor
**Idempotency**: Requests with same `Content-Digest` return existing scan (no duplicate creation).
---
### 2. Retrieve Scan Manifest
**GET** `/api/v1/scanner/scans/{scanId}/manifest`
**Description**: Retrieves the canonical JSON manifest with DSSE signature.
**Response** (200 OK):
```json
{
"manifest": {
"scanId": "550e8400-e29b-41d4-a716-446655440000",
"createdAtUtc": "2025-12-17T12:00:00Z",
"artifactDigest": "sha256:abc123...",
"artifactPurl": "pkg:oci/myapp@sha256:abc123...",
"scannerVersion": "1.0.0",
"workerVersion": "1.0.0",
"concelierSnapshotHash": "sha256:feed123...",
"excititorSnapshotHash": "sha256:vex456...",
"latticePolicyHash": "sha256:policy789...",
"deterministic": true,
"seed": "AQIDBA==",
"knobs": {
"maxDepth": "10"
}
},
"manifestHash": "sha256:manifest123...",
"dsseEnvelope": {
"payloadType": "application/vnd.stellaops.scan-manifest.v1+json",
"payload": "eyJzY2FuSWQiOiIuLi4ifQ==", // base64 canonical JSON
"signatures": [
{
"keyid": "ecdsa-p256-key-001",
"sig": "MEUCIQDx..."
}
]
}
}
```
**Headers**:
- `Content-Type`: `application/json`
- `ETag`: `"<manifestHash>"`
**Errors**:
- `404 Not Found` — Scan ID not found
**Caching**: `ETag` supports conditional `If-None-Match` requests (304 Not Modified).
---
### 3. Replay Score Computation
**POST** `/api/v1/scanner/scans/{scanId}/score/replay`
**Description**: Recomputes score proofs from manifest without rescanning binaries. Used when feeds/policies change.
**Request Body**:
```json
{
"overrides": {
"concelierSnapshotHash": "sha256:newfeed...", // Optional: use different feed
"excititorSnapshotHash": "sha256:newvex...", // Optional: use different VEX
"latticePolicyHash": "sha256:newpolicy..." // Optional: use different policy
}
}
```
**Response** (200 OK):
```json
{
"scanId": "550e8400-e29b-41d4-a716-446655440000",
"replayedAt": "2025-12-17T13:00:00Z",
"scoreProof": {
"rootHash": "sha256:proof123...",
"nodes": [
{
"id": "input-1",
"kind": "Input",
"ruleId": "inputs.v1",
"delta": 0.0,
"total": 0.0,
"nodeHash": "sha256:node1..."
},
{
"id": "delta-cvss",
"kind": "Delta",
"ruleId": "score.cvss_base.weighted",
"parentIds": ["input-1"],
"evidenceRefs": ["cvss:9.1"],
"delta": 0.50,
"total": 0.50,
"nodeHash": "sha256:node2..."
}
]
},
"proofBundleUri": "/api/v1/scanner/scans/550e8400-e29b-41d4-a716-446655440000/proofs/sha256:proof123...",
"_links": {
"bundle": "/api/v1/scanner/scans/550e8400-e29b-41d4-a716-446655440000/proofs/sha256:proof123..."
}
}
```
**Errors**:
- `404 Not Found` — Scan ID not found
- `422 Unprocessable Entity` — Override snapshot not found
**Use Case**: Nightly rescore job when Concelier publishes new advisory snapshot.
---
### 4. Upload Call-Graph
**POST** `/api/v1/scanner/scans/{scanId}/callgraphs`
**Description**: Uploads call-graph extracted by language-specific workers (.NET, Java, etc.).
**Request Body** (`application/json`):
```json
{
"schema": "stella.callgraph.v1",
"language": "dotnet",
"artifacts": [
{
"artifactKey": "MyApp.WebApi.dll",
"kind": "assembly",
"sha256": "sha256:artifact123..."
}
],
"nodes": [
{
"nodeId": "sha256:node1...",
"artifactKey": "MyApp.WebApi.dll",
"symbolKey": "MyApp.Controllers.OrdersController::Get(System.Guid)",
"visibility": "public",
"isEntrypointCandidate": true
}
],
"edges": [
{
"from": "sha256:node1...",
"to": "sha256:node2...",
"kind": "static",
"reason": "direct_call",
"weight": 1.0
}
],
"entrypoints": [
{
"nodeId": "sha256:node1...",
"kind": "http",
"route": "/api/orders/{id}",
"framework": "aspnetcore"
}
]
}
```
**Headers**:
- `Content-Digest`: `sha256=<hash>` (idempotency)
**Response** (202 Accepted):
```json
{
"scanId": "550e8400-e29b-41d4-a716-446655440000",
"callGraphDigest": "sha256:cg123...",
"nodesCount": 1234,
"edgesCount": 5678,
"entrypointsCount": 12,
"status": "accepted",
"_links": {
"reachability": "/api/v1/scanner/scans/550e8400-e29b-41d4-a716-446655440000/reachability/compute"
}
}
```
**Errors**:
- `400 Bad Request` — Invalid call-graph schema
- `404 Not Found` — Scan ID not found
- `413 Payload Too Large` — Call-graph >100MB
**Idempotency**: Same `Content-Digest` → returns existing call-graph.
---
### 5. Compute Reachability
**POST** `/api/v1/scanner/scans/{scanId}/reachability/compute`
**Description**: Triggers reachability analysis for uploaded call-graph + SBOM + vulnerabilities.
**Request Body**: Empty (uses existing scan data)
**Response** (202 Accepted):
```json
{
"scanId": "550e8400-e29b-41d4-a716-446655440000",
"jobId": "reachability-job-001",
"status": "queued",
"estimatedDuration": "30s",
"_links": {
"status": "/api/v1/scanner/jobs/reachability-job-001",
"results": "/api/v1/scanner/scans/550e8400-e29b-41d4-a716-446655440000/reachability/findings"
}
}
```
**Polling**: Use `GET /api/v1/scanner/jobs/{jobId}` to check status.
**Errors**:
- `404 Not Found` — Scan ID not found
- `422 Unprocessable Entity` — Call-graph not uploaded yet
---
### 6. Get Reachability Findings
**GET** `/api/v1/scanner/scans/{scanId}/reachability/findings`
**Description**: Retrieves reachability verdicts for all vulnerabilities.
**Query Parameters**:
- `status` (optional): Filter by `REACHABLE`, `UNREACHABLE`, `POSSIBLY_REACHABLE`, `UNKNOWN`
- `cveId` (optional): Filter by CVE ID
**Response** (200 OK):
```json
{
"scanId": "550e8400-e29b-41d4-a716-446655440000",
"computedAt": "2025-12-17T12:30:00Z",
"findings": [
{
"cveId": "CVE-2024-1234",
"purl": "pkg:npm/lodash@4.17.20",
"status": "REACHABLE_STATIC",
"confidence": 0.70,
"path": [
{
"nodeId": "sha256:entrypoint...",
"symbolKey": "MyApp.Controllers.OrdersController::Get(System.Guid)"
},
{
"nodeId": "sha256:intermediate...",
"symbolKey": "MyApp.Services.OrderService::Process(Order)"
},
{
"nodeId": "sha256:vuln...",
"symbolKey": "Lodash.merge(Object, Object)"
}
],
"evidence": {
"pathLength": 3,
"staticEdgesOnly": true,
"runtimeConfirmed": false
},
"_links": {
"explain": "/api/v1/scanner/scans/{scanId}/reachability/explain?cve=CVE-2024-1234&purl=pkg:npm/lodash@4.17.20"
}
}
],
"summary": {
"total": 45,
"reachable": 3,
"unreachable": 38,
"possiblyReachable": 4,
"unknown": 0
}
}
```
**Errors**:
- `404 Not Found` — Scan ID not found or reachability not computed
---
### 7. Explain Reachability
**GET** `/api/v1/scanner/scans/{scanId}/reachability/explain`
**Description**: Provides detailed explanation for a reachability verdict.
**Query Parameters**:
- `cve` (required): CVE ID
- `purl` (required): Package URL
**Response** (200 OK):
```json
{
"cveId": "CVE-2024-1234",
"purl": "pkg:npm/lodash@4.17.20",
"status": "REACHABLE_STATIC",
"confidence": 0.70,
"explanation": {
"shortestPath": [
{
"depth": 0,
"nodeId": "sha256:entry...",
"symbolKey": "MyApp.Controllers.OrdersController::Get(System.Guid)",
"entrypointKind": "http",
"route": "/api/orders/{id}"
},
{
"depth": 1,
"nodeId": "sha256:inter...",
"symbolKey": "MyApp.Services.OrderService::Process(Order)",
"edgeKind": "static",
"edgeReason": "direct_call"
},
{
"depth": 2,
"nodeId": "sha256:vuln...",
"symbolKey": "Lodash.merge(Object, Object)",
"edgeKind": "static",
"edgeReason": "direct_call",
"vulnerableFunction": true
}
],
"whyReachable": [
"Static call path exists from HTTP entrypoint /api/orders/{id}",
"All edges are statically proven (no heuristics)",
"Vulnerable function Lodash.merge() is directly invoked"
],
"confidenceFactors": {
"staticPathExists": 0.50,
"noHeuristicEdges": 0.20,
"runtimeConfirmed": 0.00
}
},
"alternativePaths": 2, // Number of other paths found
"_links": {
"callGraph": "/api/v1/scanner/scans/{scanId}/callgraphs/sha256:cg123.../graph.json"
}
}
```
**Errors**:
- `404 Not Found` — Scan, CVE, or PURL not found
---
### 8. Fetch Proof Bundle
**GET** `/api/v1/scanner/scans/{scanId}/proofs/{rootHash}`
**Description**: Downloads proof bundle zip archive for offline verification.
**Path Parameters**:
- `rootHash`: Proof root hash (e.g., `sha256:proof123...`)
**Response** (200 OK):
**Headers**:
- `Content-Type`: `application/zip`
- `Content-Disposition`: `attachment; filename="proof-{scanId}-{rootHash}.zip"`
- `X-Proof-Root-Hash`: `{rootHash}`
- `X-Manifest-Hash`: `{manifestHash}`
**Body**: Binary zip archive containing:
- `manifest.json` — Canonical scan manifest
- `manifest.dsse.json` — DSSE signature of manifest
- `score_proof.json` — Proof ledger (array of ProofNodes)
- `proof_root.dsse.json` — DSSE signature of proof root
- `meta.json` — Metadata (created timestamp, etc.)
**Errors**:
- `404 Not Found` — Scan or proof root hash not found
**Use Case**: Air-gap verification (`stella proof verify --bundle proof.zip`).
---
### 9. List Unknowns
**GET** `/api/v1/scanner/unknowns`
**Description**: Lists unknowns (missing evidence) ranked by priority.
**Query Parameters**:
- `band` (optional): Filter by `HOT`, `WARM`, `COLD`
- `limit` (optional): Max results (default: 100, max: 1000)
- `offset` (optional): Pagination offset
**Response** (200 OK):
```json
{
"unknowns": [
{
"unknownId": "unk-001",
"pkgId": "pkg:npm/lodash",
"pkgVersion": "4.17.20",
"digestAnchor": "sha256:...",
"reasons": ["missing_vex", "ambiguous_version"],
"score": 0.72,
"band": "HOT",
"popularity": 0.85,
"potentialExploit": 0.60,
"uncertainty": 0.75,
"evidence": {
"deployments": 42,
"epss": 0.58,
"kev": false
},
"createdAt": "2025-12-15T10:00:00Z",
"_links": {
"escalate": "/api/v1/scanner/unknowns/unk-001/escalate"
}
}
],
"pagination": {
"total": 156,
"limit": 100,
"offset": 0,
"next": "/api/v1/scanner/unknowns?band=HOT&limit=100&offset=100"
}
}
```
**Errors**:
- `400 Bad Request` — Invalid band value
---
### 10. Escalate Unknown to Rescan
**POST** `/api/v1/scanner/unknowns/{unknownId}/escalate`
**Description**: Escalates an unknown to trigger immediate rescan/re-analysis.
**Request Body**: Empty
**Response** (202 Accepted):
```json
{
"unknownId": "unk-001",
"escalatedAt": "2025-12-17T12:00:00Z",
"rescanJobId": "rescan-job-001",
"status": "queued",
"_links": {
"job": "/api/v1/scanner/jobs/rescan-job-001"
}
}
```
**Errors**:
- `404 Not Found` — Unknown ID not found
- `409 Conflict` — Unknown already escalated (rescan in progress)
---
## Data Models
### ScanManifest
See `src/__Libraries/StellaOps.Scanner.Core/Models/ScanManifest.cs` for full definition.
### ProofNode
```typescript
interface ProofNode {
id: string;
kind: "Input" | "Transform" | "Delta" | "Score";
ruleId: string;
parentIds: string[];
evidenceRefs: string[];
delta: number;
total: number;
actor: string;
tsUtc: string; // ISO 8601
seed: string; // base64
nodeHash: string; // sha256:...
}
```
### DsseEnvelope
```typescript
interface DsseEnvelope {
payloadType: string;
payload: string; // base64 canonical JSON
signatures: DsseSignature[];
}
interface DsseSignature {
keyid: string;
sig: string; // base64
}
```
### ReachabilityStatus
```typescript
enum ReachabilityStatus {
UNREACHABLE = "UNREACHABLE",
POSSIBLY_REACHABLE = "POSSIBLY_REACHABLE",
REACHABLE_STATIC = "REACHABLE_STATIC",
REACHABLE_PROVEN = "REACHABLE_PROVEN",
UNKNOWN = "UNKNOWN"
}
```
---
## Error Responses
All errors follow RFC 7807 (Problem Details):
```json
{
"type": "https://stella-ops.org/errors/scan-not-found",
"title": "Scan Not Found",
"status": 404,
"detail": "Scan ID '550e8400-e29b-41d4-a716-446655440000' does not exist.",
"instance": "/api/v1/scanner/scans/550e8400-e29b-41d4-a716-446655440000",
"traceId": "trace-001"
}
```
### Error Types
| Type | Status | Description |
|------|--------|-------------|
| `scan-not-found` | 404 | Scan ID not found |
| `invalid-manifest` | 400 | Manifest validation failed |
| `duplicate-scan` | 409 | Scan with same manifest hash exists |
| `snapshot-not-found` | 422 | Concelier/Excititor snapshot not found |
| `callgraph-not-uploaded` | 422 | Call-graph required before reachability |
| `payload-too-large` | 413 | Request body exceeds size limit |
| `proof-not-found` | 404 | Proof root hash not found |
| `unknown-not-found` | 404 | Unknown ID not found |
| `escalation-conflict` | 409 | Unknown already escalated |
---
## Rate Limiting
**Limits**:
- `POST /scans`: 100 requests/hour per tenant
- `POST /scans/{id}/score/replay`: 1000 requests/hour per tenant
- `POST /callgraphs`: 100 requests/hour per tenant
- `POST /reachability/compute`: 100 requests/hour per tenant
- `GET` endpoints: 10,000 requests/hour per tenant
**Headers**:
- `X-RateLimit-Limit`: Maximum requests per window
- `X-RateLimit-Remaining`: Remaining requests
- `X-RateLimit-Reset`: Unix timestamp when limit resets
**Error** (429 Too Many Requests):
```json
{
"type": "https://stella-ops.org/errors/rate-limit-exceeded",
"title": "Rate Limit Exceeded",
"status": 429,
"detail": "Exceeded 100 requests/hour for POST /scans. Retry after 1234567890.",
"retryAfter": 1234567890
}
```
---
## Webhooks (Future)
**Planned for Sprint 3500.0004.0003**:
```
POST /api/v1/scanner/webhooks
Register webhook for events: scan.completed, reachability.computed, unknown.escalated
```
---
## OpenAPI Specification
**File**: `src/Api/StellaOps.Api.OpenApi/scanner/openapi.yaml`
Update with new endpoints (Sprint 3500.0002.0003).
---
## References
- `SPRINT_3500_0002_0001_score_proofs_foundations.md` — Implementation sprint
- `SPRINT_3500_0002_0003_proof_replay_api.md` — API implementation sprint
- `SPRINT_3500_0003_0003_graph_attestations_rekor.md` — Reachability API sprint
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md` — API contracts section
- `docs/db/schemas/scanner_schema_specification.md` — Database schema
---
**Last Updated**: 2025-12-17
**API Version**: 2.0
**Next Review**: Sprint 3500.0004.0001 (CLI integration)

282
docs/api/score-replay-api.md Normal file
View File

@@ -0,0 +1,282 @@
# Score Replay API Reference
**Sprint:** SPRINT_3401_0002_0001
**Task:** SCORE-REPLAY-014 - Update scanner API docs with replay endpoint
## Overview
The Score Replay API enables deterministic re-scoring of scans using historical manifests. This is essential for auditing, compliance verification, and investigating how scores change with updated advisory feeds.
## Base URL
```
/api/v1/score
```
## Authentication
All endpoints require Bearer token authentication:
```http
Authorization: Bearer <token>
```
Required scope: `scanner:replay:read` for GET, `scanner:replay:write` for POST
## Endpoints
### Replay Score
```http
POST /api/v1/score/replay
```
Re-scores a scan using the original manifest with an optionally different feed snapshot.
#### Request Body
```json
{
"scanId": "scan-12345678-abcd",
"feedSnapshotHash": "sha256:abc123...",
"policyVersion": "1.0.0",
"dryRun": false
}
```
| Field | Type | Required | Description |
|-------|------|----------|-------------|
| `scanId` | string | Yes | Original scan ID to replay |
| `feedSnapshotHash` | string | No | Feed snapshot to use (defaults to current) |
| `policyVersion` | string | No | Policy version (defaults to original) |
| `dryRun` | boolean | No | If true, calculates but doesn't persist |
#### Response
```json
{
"replayId": "replay-87654321-dcba",
"originalScanId": "scan-12345678-abcd",
"status": "completed",
"feedSnapshotHash": "sha256:abc123...",
"policyVersion": "1.0.0",
"originalManifestHash": "sha256:def456...",
"replayedManifestHash": "sha256:ghi789...",
"scoreDelta": {
"originalScore": 7.5,
"replayedScore": 6.8,
"delta": -0.7
},
"findingsDelta": {
"added": 2,
"removed": 5,
"rescored": 12,
"unchanged": 45
},
"proofBundleRef": "proofs/replays/replay-87654321/bundle.zip",
"duration": {
"ms": 1250
},
"createdAt": "2025-01-15T10:30:00Z"
}
```
#### Example
```bash
# Replay with latest feed
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"scanId": "scan-12345678-abcd"}' \
"https://scanner.example.com/api/v1/score/replay"
# Replay with specific feed snapshot
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"scanId": "scan-12345678-abcd",
"feedSnapshotHash": "sha256:abc123..."
}' \
"https://scanner.example.com/api/v1/score/replay"
# Dry run (preview only)
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"scanId": "scan-12345678-abcd",
"dryRun": true
}' \
"https://scanner.example.com/api/v1/score/replay"
```
### Get Replay History
```http
GET /api/v1/score/replays
```
Returns history of score replays.
#### Query Parameters
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| `scanId` | string | - | Filter by original scan |
| `page` | int | 1 | Page number |
| `pageSize` | int | 50 | Items per page |
#### Response
```json
{
"items": [
{
"replayId": "replay-87654321-dcba",
"originalScanId": "scan-12345678-abcd",
"triggerType": "manual",
"scoreDelta": -0.7,
"findingsAdded": 2,
"findingsRemoved": 5,
"createdAt": "2025-01-15T10:30:00Z"
}
],
"pagination": {
"page": 1,
"pageSize": 50,
"totalItems": 12,
"totalPages": 1
}
}
```
### Get Replay Details
```http
GET /api/v1/score/replays/{replayId}
```
Returns detailed information about a specific replay.
### Get Scan Manifest
```http
GET /api/v1/scans/{scanId}/manifest
```
Returns the scan manifest containing all input hashes.
#### Response
```json
{
"manifestId": "manifest-12345678",
"scanId": "scan-12345678-abcd",
"manifestHash": "sha256:def456...",
"sbomHash": "sha256:aaa111...",
"rulesHash": "sha256:bbb222...",
"feedHash": "sha256:ccc333...",
"policyHash": "sha256:ddd444...",
"scannerVersion": "1.0.0",
"createdAt": "2025-01-15T10:00:00Z"
}
```
### Get Proof Bundle
```http
GET /api/v1/scans/{scanId}/proof-bundle
```
Downloads the proof bundle (ZIP archive) for a scan.
#### Response
Returns `application/zip` with the proof bundle containing:
- `manifest.json` - Signed scan manifest
- `ledger.json` - Proof ledger nodes
- `sbom.json` - Input SBOM (hash-verified)
- `findings.json` - Scored findings
- `signature.dsse` - DSSE envelope
## Scheduled Replay
Scans can be automatically replayed when feed snapshots change.
### Configuration
```yaml
# config/scanner.yaml
score_replay:
enabled: true
schedule: "0 4 * * *" # Daily at 4 AM UTC
max_age_days: 30 # Only replay scans from last 30 days
notify_on_delta: true # Send notification if scores change
delta_threshold: 0.5 # Only notify if delta > threshold
```
### Trigger Types
| Type | Description |
|------|-------------|
| `manual` | User-initiated via API |
| `feed_update` | Triggered by new feed snapshot |
| `policy_change` | Triggered by policy version change |
| `scheduled` | Triggered by scheduled job |
## Determinism Guarantees
Score replay guarantees deterministic results when:
1. **Same manifest hash** - All inputs are identical
2. **Same scanner version** - Scoring algorithm unchanged
3. **Same policy version** - Policy rules unchanged
### Manifest Contents
The manifest captures:
- SBOM content hash
- Rules snapshot hash
- Advisory feed snapshot hash
- Policy configuration hash
- Scanner version
### Verification
```bash
# Verify replay determinism
curl -H "Authorization: Bearer $TOKEN" \
"https://scanner.example.com/api/v1/scans/{scanId}/manifest" \
| jq '.manifestHash'
# Compare with replay
curl -H "Authorization: Bearer $TOKEN" \
"https://scanner.example.com/api/v1/score/replays/{replayId}" \
| jq '.replayedManifestHash'
```
## Error Responses
| Status | Code | Description |
|--------|------|-------------|
| 400 | `INVALID_SCAN_ID` | Scan ID not found |
| 400 | `INVALID_FEED_SNAPSHOT` | Feed snapshot not found |
| 400 | `MANIFEST_NOT_FOUND` | Scan manifest missing |
| 401 | `UNAUTHORIZED` | Invalid token |
| 403 | `FORBIDDEN` | Insufficient permissions |
| 409 | `REPLAY_IN_PROGRESS` | Replay already running for scan |
| 429 | `RATE_LIMITED` | Too many requests |
## Rate Limits
- POST replay: 10 requests/minute
- GET replays: 100 requests/minute
- GET manifest: 100 requests/minute
## Related Documentation
- [Proof Bundle Format](./proof-bundle-format.md)
- [Scanner Architecture](../modules/scanner/architecture.md)
- [Determinism Requirements](../product-advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md)

325
docs/api/smart-diff-types.md Normal file
View File

@@ -0,0 +1,325 @@
# Smart-Diff API Types
> Sprint: SPRINT_3500_0002_0001
> Module: Scanner, Policy, Attestor
This document describes the Smart-Diff types exposed through APIs.
## Smart-Diff Predicate
The Smart-Diff predicate is a DSSE-signed attestation describing differential analysis between two scans.
### Predicate Type URI
```
stellaops.dev/predicates/smart-diff@v1
```
### OpenAPI Schema Fragment
```yaml
SmartDiffPredicate:
type: object
required:
- schemaVersion
- baseImage
- targetImage
- diff
- reachabilityGate
- scanner
properties:
schemaVersion:
type: string
pattern: "^[0-9]+\\.[0-9]+\\.[0-9]+$"
example: "1.0.0"
description: Schema version (semver)
baseImage:
$ref: '#/components/schemas/ImageReference'
targetImage:
$ref: '#/components/schemas/ImageReference'
diff:
$ref: '#/components/schemas/DiffPayload'
reachabilityGate:
$ref: '#/components/schemas/ReachabilityGate'
scanner:
$ref: '#/components/schemas/ScannerInfo'
context:
$ref: '#/components/schemas/RuntimeContext'
suppressedCount:
type: integer
minimum: 0
description: Number of findings suppressed by pre-filters
materialChanges:
type: array
items:
$ref: '#/components/schemas/MaterialChange'
ImageReference:
type: object
required:
- digest
properties:
digest:
type: string
pattern: "^sha256:[a-f0-9]{64}$"
example: "sha256:abc123..."
repository:
type: string
example: "ghcr.io/org/image"
tag:
type: string
example: "v1.2.3"
DiffPayload:
type: object
required:
- added
- removed
- modified
properties:
added:
type: array
items:
$ref: '#/components/schemas/DiffEntry'
description: New vulnerabilities in target
removed:
type: array
items:
$ref: '#/components/schemas/DiffEntry'
description: Vulnerabilities fixed in target
modified:
type: array
items:
$ref: '#/components/schemas/DiffEntry'
description: Changed vulnerability status
DiffEntry:
type: object
required:
- vulnId
- componentPurl
properties:
vulnId:
type: string
example: "CVE-2024-1234"
componentPurl:
type: string
example: "pkg:npm/lodash@4.17.21"
severity:
type: string
enum: [CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN]
changeType:
type: string
enum: [added, removed, severity_changed, status_changed]
ReachabilityGate:
type: object
required:
- class
- isSinkReachable
- isEntryReachable
properties:
class:
type: integer
minimum: 0
maximum: 7
description: |
3-bit reachability class:
- Bit 0: Entry point reachable
- Bit 1: Sink reachable
- Bit 2: Direct path exists
isSinkReachable:
type: boolean
description: Whether a sensitive sink is reachable
isEntryReachable:
type: boolean
description: Whether an entry point is reachable
sinkCategory:
type: string
enum: [file, network, crypto, command, sql, ldap, xpath, ssrf, log, deserialization, reflection]
description: Category of the matched sink
ScannerInfo:
type: object
required:
- name
- version
properties:
name:
type: string
example: "stellaops-scanner"
version:
type: string
example: "1.5.0"
commit:
type: string
example: "abc123"
RuntimeContext:
type: object
additionalProperties: true
description: Optional runtime context for the scan
example:
env: "production"
namespace: "default"
cluster: "us-east-1"
MaterialChange:
type: object
properties:
type:
type: string
enum: [file, package, config]
path:
type: string
hash:
type: string
changeKind:
type: string
enum: [added, removed, modified]
```
## Reachability Gate Classes
| Class | Entry | Sink | Direct | Description |
|-------|-------|------|--------|-------------|
| 0 | ❌ | ❌ | ❌ | Not reachable |
| 1 | ✅ | ❌ | ❌ | Entry point only |
| 2 | ❌ | ✅ | ❌ | Sink only |
| 3 | ✅ | ✅ | ❌ | Both, no direct path |
| 4 | ❌ | ❌ | ✅ | Direct path, no endpoints |
| 5 | ✅ | ❌ | ✅ | Entry + direct |
| 6 | ❌ | ✅ | ✅ | Sink + direct |
| 7 | ✅ | ✅ | ✅ | Full reachability confirmed |
## Sink Categories
| Category | Description | Examples |
|----------|-------------|----------|
| `file` | File system operations | `File.Open`, `fopen` |
| `network` | Network I/O | `HttpClient`, `socket` |
| `crypto` | Cryptographic operations | `SHA256`, `AES` |
| `command` | Command execution | `Process.Start`, `exec` |
| `sql` | SQL queries | `SqlCommand`, query builders |
| `ldap` | LDAP operations | `DirectoryEntry` |
| `xpath` | XPath queries | `XPathNavigator` |
| `ssrf` | Server-side request forgery | HTTP clients with user input |
| `log` | Logging operations | `ILogger`, `Console.Write` |
| `deserialization` | Deserialization | `JsonSerializer`, `BinaryFormatter` |
| `reflection` | Reflection operations | `Type.GetType`, `Assembly.Load` |
## Suppression Rules
### OpenAPI Schema Fragment
```yaml
SuppressionRule:
type: object
required:
- id
- type
properties:
id:
type: string
description: Unique rule identifier
type:
type: string
enum:
- cve_pattern
- purl_pattern
- severity_below
- patch_churn
- sink_category
- reachability_class
pattern:
type: string
description: Regex pattern (for pattern rules)
threshold:
type: string
description: Threshold value (for severity/class rules)
enabled:
type: boolean
default: true
reason:
type: string
description: Human-readable reason for suppression
expires:
type: string
format: date-time
description: Optional expiration timestamp
SuppressionResult:
type: object
properties:
suppressed:
type: boolean
matchedRuleId:
type: string
reason:
type: string
```
## Usage Examples
### Creating a Smart-Diff Predicate
```csharp
var predicate = new SmartDiffPredicate
{
SchemaVersion = "1.0.0",
BaseImage = new ImageReference
{
Digest = "sha256:abc123...",
Repository = "ghcr.io/org/image",
Tag = "v1.0.0"
},
TargetImage = new ImageReference
{
Digest = "sha256:def456...",
Repository = "ghcr.io/org/image",
Tag = "v1.1.0"
},
Diff = new DiffPayload
{
Added = [new DiffEntry { VulnId = "CVE-2024-1234", ... }],
Removed = [],
Modified = []
},
ReachabilityGate = new ReachabilityGate
{
Class = 7,
IsSinkReachable = true,
IsEntryReachable = true,
SinkCategory = SinkCategory.Network
},
Scanner = new ScannerInfo
{
Name = "stellaops-scanner",
Version = "1.5.0"
},
SuppressedCount = 5
};
```
### Evaluating Suppression Rules
```csharp
var evaluator = services.GetRequiredService<ISuppressionRuleEvaluator>();
var result = await evaluator.EvaluateAsync(finding, rules);
if (result.Suppressed)
{
logger.LogInformation(
"Finding {VulnId} suppressed by rule {RuleId}: {Reason}",
finding.VulnId,
result.MatchedRuleId,
result.Reason);
}
```
## Related Documentation
- [Smart-Diff Technical Reference](../product-advisories/14-Dec-2025%20-%20Smart-Diff%20Technical%20Reference.md)
- [Scanner Architecture](../modules/scanner/architecture.md)
- [Policy Architecture](../modules/policy/architecture.md)

334
docs/api/triage.contract.v1.md Normal file
View File

@@ -0,0 +1,334 @@
# Stella Ops Triage API Contract v1
Base path: `/api/triage/v1`
This contract is served by `scanner.webservice` (or a dedicated triage facade that reads scanner-owned tables).
All risk/lattice outputs originate from `scanner.webservice`.
Key requirements:
- Deterministic outputs (policyId + policyVersion + inputsHash).
- Proof-linking (chips reference evidenceIds).
- `concelier` and `excititor` preserve prune source: API surfaces source chains via `sourceRefs`.
## 0. Conventions
### 0.1 Identifiers
- `caseId` == `findingId` (UUID). A case is a finding scoped to an asset/environment.
- Hashes are hex strings.
### 0.2 Caching
- GET endpoints SHOULD return `ETag`.
- Clients SHOULD send `If-None-Match`.
### 0.3 Errors
Standard error envelope:
```json
{
"error": {
"code": "string",
"message": "string",
"details": { "any": "json" },
"traceId": "string"
}
}
```
Common codes:
* `not_found`
* `validation_error`
* `conflict`
* `unauthorized`
* `forbidden`
* `rate_limited`
## 1. Findings Table
### 1.1 List findings
`GET /findings`
Query params:
* `showMuted` (bool, default false)
* `lane` (optional, enum)
* `search` (optional string; searches asset, purl, cveId)
* `page` (int, default 1)
* `pageSize` (int, default 50; max 200)
* `sort` (optional: `updatedAt`, `score`, `lane`)
* `order` (optional: `asc|desc`)
Response 200:
```json
{
"page": 1,
"pageSize": 50,
"total": 12345,
"mutedCounts": { "reach": 1904, "vex": 513, "compensated": 18 },
"rows": [
{
"id": "uuid",
"lane": "BLOCKED",
"verdict": "BLOCK",
"score": 87,
"reachable": "YES",
"vex": "affected",
"exploit": "YES",
"asset": "prod/api-gateway:1.2.3",
"updatedAt": "2025-12-16T01:02:03Z"
}
]
}
```
## 2. Case Narrative
### 2.1 Get case header
`GET /cases/{caseId}`
Response 200:
```json
{
"id": "uuid",
"verdict": "BLOCK",
"lane": "BLOCKED",
"score": 87,
"policyId": "prod-strict",
"policyVersion": "2025.12.14",
"inputsHash": "hex",
"why": "Reachable path observed; exploit signal present; prod-strict blocks.",
"chips": [
{ "key": "reachability", "label": "Reachability", "value": "Reachable (92%)", "evidenceIds": ["uuid"] },
{ "key": "vex", "label": "VEX", "value": "affected", "evidenceIds": ["uuid"] },
{ "key": "gate", "label": "Gate", "value": "BLOCKED by prod-strict", "evidenceIds": ["uuid"] }
],
"sourceRefs": [
{
"domain": "concelier",
"kind": "cve_record",
"ref": "concelier:osv:...",
"pruned": false
},
{
"domain": "excititor",
"kind": "effective_vex",
"ref": "excititor:openvex:...",
"pruned": false
}
],
"updatedAt": "2025-12-16T01:02:03Z"
}
```
Notes:
* `sourceRefs` provides preserved provenance chains (including pruned markers when applicable).
## 3. Evidence
### 3.1 List evidence for case
`GET /cases/{caseId}/evidence`
Response 200:
```json
{
"caseId": "uuid",
"items": [
{
"id": "uuid",
"type": "VEX_DOC",
"title": "Vendor OpenVEX assertion",
"issuer": "vendor.example",
"signed": true,
"signedBy": "CN=Vendor VEX Signer",
"contentHash": "hex",
"createdAt": "2025-12-15T22:10:00Z",
"previewUrl": "/api/triage/v1/evidence/uuid/preview",
"rawUrl": "/api/triage/v1/evidence/uuid/raw"
}
]
}
```
### 3.2 Get raw evidence object
`GET /evidence/{evidenceId}/raw`
Returns:
* `application/json` for JSON evidence
* `application/octet-stream` for binary
* MUST include `Content-SHA256` header (hex) when possible.
### 3.3 Preview evidence object
`GET /evidence/{evidenceId}/preview`
Returns a compact representation safe for UI preview.
## 4. Decisions
### 4.1 Create decision
`POST /decisions`
Request body:
```json
{
"caseId": "uuid",
"kind": "MUTE_REACH",
"reasonCode": "NON_REACHABLE",
"note": "No entry path in this env; reviewed runtime traces.",
"ttl": "2026-01-16T00:00:00Z"
}
```
Response 201:
```json
{
"decision": {
"id": "uuid",
"kind": "MUTE_REACH",
"reasonCode": "NON_REACHABLE",
"note": "No entry path in this env; reviewed runtime traces.",
"ttl": "2026-01-16T00:00:00Z",
"actor": { "subject": "user:abc", "display": "Vlad" },
"createdAt": "2025-12-16T01:10:00Z",
"signatureRef": "dsse:rekor:uuid"
}
}
```
Rules:
* Server signs decisions (DSSE) and persists signature reference.
* Creating a decision MUST create a `Snapshot` with trigger `DECISION`.
### 4.2 Revoke decision
`POST /decisions/{decisionId}/revoke`
Body (optional):
```json
{ "reason": "Mistake; reachability now observed." }
```
Response 200:
```json
{ "revokedAt": "2025-12-16T02:00:00Z", "signatureRef": "dsse:rekor:uuid" }
```
## 5. Snapshots & Smart-Diff
### 5.1 List snapshots
`GET /cases/{caseId}/snapshots`
Response 200:
```json
{
"caseId": "uuid",
"items": [
{
"id": "uuid",
"trigger": "POLICY_UPDATE",
"changedAt": "2025-12-16T00:00:00Z",
"fromInputsHash": "hex",
"toInputsHash": "hex",
"summary": "Policy version changed; gate threshold crossed."
}
]
}
```
### 5.2 Smart-Diff between two snapshots
`GET /cases/{caseId}/smart-diff?from={inputsHashA}&to={inputsHashB}`
Response 200:
```json
{
"fromInputsHash": "hex",
"toInputsHash": "hex",
"inputsChanged": [
{ "key": "policyVersion", "before": "2025.12.14", "after": "2025.12.16", "evidenceIds": ["uuid"] }
],
"outputsChanged": [
{ "key": "verdict", "before": "SHIP", "after": "BLOCK", "evidenceIds": ["uuid"] }
]
}
```
## 6. Export Evidence Bundle
### 6.1 Start export
`POST /cases/{caseId}/export`
Response 202:
```json
{
"exportId": "uuid",
"status": "QUEUED"
}
```
### 6.2 Poll export
`GET /exports/{exportId}`
Response 200:
```json
{
"exportId": "uuid",
"status": "READY",
"downloadUrl": "/api/triage/v1/exports/uuid/download"
}
```
### 6.3 Download bundle
`GET /exports/{exportId}/download`
Returns:
* `application/zip`
* DSSE envelope embedded (or alongside in zip)
* bundle contains replay manifest, artifacts, risk result, snapshots
## 7. Events (Notify.WebService integration)
These are emitted by `notify.webservice` when scanner outputs change.
* `first_signal`
* fired on first actionable detection for an asset/environment
* `risk_changed`
* fired when verdict/lane changes or thresholds crossed
* `gate_blocked`
* fired when CI gate blocks
Event payload includes:
* caseId
* old/new verdict/lane/score (for changed events)
* inputsHash
* links to `/cases/{caseId}`
---
**Document Version**: 1.0
**Target Platform**: .NET 10, PostgreSQL >= 16

334
docs/api/unknowns-api.md Normal file
View File

@@ -0,0 +1,334 @@
# Unknowns API Reference
**Sprint:** SPRINT_3600_0002_0001
**Task:** UNK-RANK-011 - Update unknowns API documentation
## Overview
The Unknowns API provides access to items that could not be fully classified due to missing evidence, ambiguous data, or incomplete intelligence. Unknowns are ranked by blast radius, exploit pressure, and containment signals.
## Base URL
```
/api/v1/unknowns
```
## Authentication
All endpoints require Bearer token authentication:
```http
Authorization: Bearer <token>
```
Required scope: `scanner:unknowns:read`
## Endpoints
### List Unknowns
```http
GET /api/v1/unknowns
```
Returns paginated list of unknowns, optionally sorted by score.
#### Query Parameters
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| `sort` | string | `score` | Sort field: `score`, `created_at`, `blast_dependents` |
| `order` | string | `desc` | Sort order: `asc`, `desc` |
| `page` | int | 1 | Page number (1-indexed) |
| `pageSize` | int | 50 | Items per page (max 200) |
| `artifact` | string | - | Filter by artifact digest |
| `reason` | string | - | Filter by reason code |
| `minScore` | float | - | Minimum score threshold (0-1) |
| `maxScore` | float | - | Maximum score threshold (0-1) |
| `kev` | bool | - | Filter by KEV status |
| `seccomp` | string | - | Filter by seccomp state: `enforced`, `permissive`, `unknown` |
#### Response
```json
{
"items": [
{
"id": "unk-12345678-abcd-1234-5678-abcdef123456",
"artifactDigest": "sha256:abc123...",
"artifactPurl": "pkg:oci/myapp@sha256:abc123",
"reasons": ["missing_vex", "ambiguous_indirect_call"],
"blastRadius": {
"dependents": 15,
"netFacing": true,
"privilege": "user"
},
"evidenceScarcity": 0.7,
"exploitPressure": {
"epss": 0.45,
"kev": false
},
"containment": {
"seccomp": "enforced",
"fs": "ro"
},
"score": 0.62,
"proofRef": "proofs/unknowns/unk-12345678/tree.json",
"createdAt": "2025-01-15T10:30:00Z",
"updatedAt": "2025-01-15T10:30:00Z"
}
],
"pagination": {
"page": 1,
"pageSize": 50,
"totalItems": 142,
"totalPages": 3
}
}
```
#### Example
```bash
# Get top 10 highest-scored unknowns
curl -H "Authorization: Bearer $TOKEN" \
"https://scanner.example.com/api/v1/unknowns?sort=score&order=desc&pageSize=10"
# Filter by KEV and minimum score
curl -H "Authorization: Bearer $TOKEN" \
"https://scanner.example.com/api/v1/unknowns?kev=true&minScore=0.5"
# Filter by artifact
curl -H "Authorization: Bearer $TOKEN" \
"https://scanner.example.com/api/v1/unknowns?artifact=sha256:abc123"
```
### Get Unknown by ID
```http
GET /api/v1/unknowns/{id}
```
Returns detailed information about a specific unknown.
#### Response
```json
{
"id": "unk-12345678-abcd-1234-5678-abcdef123456",
"artifactDigest": "sha256:abc123...",
"artifactPurl": "pkg:oci/myapp@sha256:abc123",
"reasons": ["missing_vex", "ambiguous_indirect_call"],
"reasonDetails": [
{
"code": "missing_vex",
"message": "No VEX statement found for CVE-2024-1234",
"component": "pkg:npm/lodash@4.17.20"
},
{
"code": "ambiguous_indirect_call",
"message": "Indirect call target could not be resolved",
"location": "src/utils.js:42"
}
],
"blastRadius": {
"dependents": 15,
"netFacing": true,
"privilege": "user"
},
"evidenceScarcity": 0.7,
"exploitPressure": {
"epss": 0.45,
"kev": false
},
"containment": {
"seccomp": "enforced",
"fs": "ro"
},
"score": 0.62,
"scoreBreakdown": {
"blastComponent": 0.35,
"scarcityComponent": 0.21,
"pressureComponent": 0.26,
"containmentDeduction": -0.20
},
"proofRef": "proofs/unknowns/unk-12345678/tree.json",
"createdAt": "2025-01-15T10:30:00Z",
"updatedAt": "2025-01-15T10:30:00Z"
}
```
### Get Unknown Proof
```http
GET /api/v1/unknowns/{id}/proof
```
Returns the proof tree explaining the ranking decision.
#### Response
```json
{
"version": "1.0",
"unknownId": "unk-12345678-abcd-1234-5678-abcdef123456",
"nodes": [
{
"kind": "input",
"hash": "sha256:abc...",
"data": {
"reasons": ["missing_vex"],
"evidenceScarcity": 0.7
}
},
{
"kind": "delta",
"hash": "sha256:def...",
"factor": "blast_radius",
"contribution": 0.35
},
{
"kind": "delta",
"hash": "sha256:ghi...",
"factor": "containment_seccomp",
"contribution": -0.10
},
{
"kind": "score",
"hash": "sha256:jkl...",
"finalScore": 0.62
}
],
"rootHash": "sha256:mno..."
}
```
### Batch Get Unknowns
```http
POST /api/v1/unknowns/batch
```
Get multiple unknowns by ID in a single request.
#### Request Body
```json
{
"ids": [
"unk-12345678-abcd-1234-5678-abcdef123456",
"unk-87654321-dcba-4321-8765-654321fedcba"
]
}
```
#### Response
Same format as list response with matching items.
### Get Unknowns Summary
```http
GET /api/v1/unknowns/summary
```
Returns aggregate statistics about unknowns.
#### Query Parameters
| Parameter | Type | Description |
|-----------|------|-------------|
| `artifact` | string | Filter by artifact digest |
#### Response
```json
{
"totalCount": 142,
"byReason": {
"missing_vex": 45,
"ambiguous_indirect_call": 32,
"incomplete_sbom": 28,
"unknown_platform": 15,
"other": 22
},
"byScoreBucket": {
"critical": 12, // score >= 0.8
"high": 35, // 0.6 <= score < 0.8
"medium": 48, // 0.4 <= score < 0.6
"low": 47 // score < 0.4
},
"byContainment": {
"enforced": 45,
"permissive": 32,
"unknown": 65
},
"kevCount": 8,
"avgScore": 0.52
}
```
## Reason Codes
| Code | Description |
|------|-------------|
| `missing_vex` | No VEX statement for vulnerability |
| `ambiguous_indirect_call` | Indirect call target unresolved |
| `incomplete_sbom` | SBOM missing component data |
| `unknown_platform` | Platform not recognized |
| `missing_advisory` | No advisory data for CVE |
| `conflicting_evidence` | Multiple conflicting data sources |
| `stale_data` | Data exceeds freshness threshold |
## Score Calculation
The unknown score is calculated as:
```
score = 0.60 × blast + 0.30 × scarcity + 0.30 × pressure + containment_deduction
```
Where:
- `blast` = normalized blast radius (0-1)
- `scarcity` = evidence scarcity factor (0-1)
- `pressure` = exploit pressure (EPSS + KEV factor)
- `containment_deduction` = -0.10 for enforced seccomp, -0.10 for read-only FS
### Blast Radius Normalization
```
dependents_normalized = min(dependents / 50, 1.0)
net_factor = 0.5 if net_facing else 0.0
priv_factor = 0.5 if privilege == "root" else 0.0
blast = min((dependents_normalized + net_factor + priv_factor) / 2, 1.0)
```
### Exploit Pressure
```
epss_normalized = epss ?? 0.35 // Default if unknown
kev_factor = 0.30 if kev else 0.0
pressure = min(epss_normalized + kev_factor, 1.0)
```
## Error Responses
| Status | Code | Description |
|--------|------|-------------|
| 400 | `INVALID_PARAMETER` | Invalid query parameter |
| 401 | `UNAUTHORIZED` | Missing or invalid token |
| 403 | `FORBIDDEN` | Insufficient permissions |
| 404 | `NOT_FOUND` | Unknown not found |
| 429 | `RATE_LIMITED` | Too many requests |
## Rate Limits
- List: 100 requests/minute
- Get by ID: 300 requests/minute
- Summary: 60 requests/minute
## Related Documentation
- [Unknowns Ranking Technical Reference](../product-advisories/14-Dec-2025%20-%20Triage%20and%20Unknowns%20Technical%20Reference.md)
- [Scanner Architecture](../modules/scanner/architecture.md)
- [Proof Bundle Format](../api/proof-bundle-format.md)

320
docs/benchmarks/accuracy-metrics-framework.md Normal file
View File

@@ -0,0 +1,320 @@
# Accuracy Metrics Framework
## Overview
This document defines the accuracy metrics framework used to measure and track StellaOps scanner performance. All metrics are computed against ground truth datasets and published quarterly.
## Metric Definitions
### Confusion Matrix
For binary classification tasks (e.g., reachable vs unreachable):
| | Predicted Positive | Predicted Negative |
|--|-------------------|-------------------|
| **Actual Positive** | True Positive (TP) | False Negative (FN) |
| **Actual Negative** | False Positive (FP) | True Negative (TN) |
### Core Metrics
| Metric | Formula | Description | Target |
|--------|---------|-------------|--------|
| **Precision** | TP / (TP + FP) | Of items flagged, how many were correct | >= 90% |
| **Recall** | TP / (TP + FN) | Of actual positives, how many were found | >= 85% |
| **F1 Score** | 2 * (P * R) / (P + R) | Harmonic mean of precision and recall | >= 87% |
| **False Positive Rate** | FP / (FP + TN) | Rate of incorrect positive flags | <= 10% |
| **Accuracy** | (TP + TN) / Total | Overall correctness | >= 90% |
---
## Reachability Analysis Accuracy
### Definitions
- **True Positive (TP)**: Correctly identified as reachable (code path actually exists)
- **False Positive (FP)**: Incorrectly identified as reachable (no real code path)
- **True Negative (TN)**: Correctly identified as unreachable (no code path exists)
- **False Negative (FN)**: Incorrectly identified as unreachable (code path exists but missed)
### Target Metrics
| Metric | Target | Stretch Goal |
|--------|--------|--------------|
| Precision | >= 90% | >= 95% |
| Recall | >= 85% | >= 90% |
| F1 Score | >= 87% | >= 92% |
| False Positive Rate | <= 10% | <= 5% |
### Per-Language Targets
| Language | Precision | Recall | F1 | Notes |
|----------|-----------|--------|-----|-------|
| Java | >= 92% | >= 88% | >= 90% | Strong static analysis support |
| C# | >= 90% | >= 85% | >= 87% | Roslyn-based analysis |
| Go | >= 88% | >= 82% | >= 85% | Good call graph support |
| JavaScript | >= 85% | >= 78% | >= 81% | Dynamic typing challenges |
| Python | >= 83% | >= 75% | >= 79% | Dynamic typing challenges |
| TypeScript | >= 88% | >= 82% | >= 85% | Better than JS due to types |
---
## Lattice State Accuracy
VEX lattice states have different confidence requirements:
| State | Definition | Target Accuracy | Validation |
|-------|------------|-----------------|------------|
| **CR** (Confirmed Reachable) | Runtime evidence + static path | >= 95% | Runtime trace verification |
| **SR** (Static Reachable) | Static path only | >= 90% | Static analysis coverage |
| **SU** (Static Unreachable) | No static path found | >= 85% | Negative proof verification |
| **DT** (Denied by Tool) | Tool analysis confirms not affected | >= 90% | Tool output validation |
| **DV** (Denied by Vendor) | Vendor VEX statement | >= 95% | VEX signature verification |
| **U** (Unknown) | Insufficient evidence | Track % | Minimize unknowns |
### Lattice Transition Accuracy
Measure accuracy of automatic state transitions:
| Transition | Trigger | Target Accuracy |
|------------|---------|-----------------|
| U -> SR | Static analysis finds path | >= 90% |
| SR -> CR | Runtime evidence added | >= 95% |
| U -> SU | Static analysis proves unreachable | >= 85% |
| SR -> DT | Tool-specific analysis | >= 90% |
---
## SBOM Completeness Metrics
### Component Detection
| Metric | Formula | Target | Notes |
|--------|---------|--------|-------|
| **Component Recall** | Found / Total Actual | >= 98% | Find all real components |
| **Component Precision** | Real / Reported | >= 99% | Minimize phantom components |
| **Version Accuracy** | Correct Versions / Total | >= 95% | Version string correctness |
| **License Accuracy** | Correct Licenses / Total | >= 90% | License detection accuracy |
### Per-Ecosystem Targets
| Ecosystem | Comp. Recall | Comp. Precision | Version Acc. |
|-----------|--------------|-----------------|--------------|
| Alpine APK | >= 99% | >= 99% | >= 98% |
| Debian DEB | >= 99% | >= 99% | >= 98% |
| npm | >= 97% | >= 98% | >= 95% |
| Maven | >= 98% | >= 99% | >= 96% |
| NuGet | >= 98% | >= 99% | >= 96% |
| PyPI | >= 96% | >= 98% | >= 94% |
| Go Modules | >= 97% | >= 98% | >= 95% |
| Cargo (Rust) | >= 98% | >= 99% | >= 96% |
---
## Vulnerability Detection Accuracy
### CVE Matching
| Metric | Formula | Target |
|--------|---------|--------|
| **CVE Recall** | Found CVEs / Actual CVEs | >= 95% |
| **CVE Precision** | Correct CVEs / Reported CVEs | >= 98% |
| **Version Range Accuracy** | Correct Affected / Total | >= 93% |
### False Positive Categories
Track and minimize specific FP types:
| FP Type | Description | Target Rate |
|---------|-------------|-------------|
| **Phantom Component** | CVE for component not present | <= 1% |
| **Version Mismatch** | CVE for wrong version | <= 3% |
| **Ecosystem Confusion** | Wrong package with same name | <= 1% |
| **Stale Advisory** | Already fixed but flagged | <= 2% |
---
## Measurement Methodology
### Ground Truth Establishment
1. **Manual Curation**
- Expert review of sample applications
- Documented decision rationale
- Multiple reviewer consensus
2. **Automated Verification**
- Cross-reference with authoritative sources
- NVD, OSV, GitHub Advisory Database
- Vendor security bulletins
3. **Runtime Validation**
- Dynamic analysis confirmation
- Exploit proof-of-concept testing
- Production monitoring correlation
### Test Corpus Requirements
| Category | Minimum Samples | Diversity Requirements |
|----------|-----------------|----------------------|
| Reachability | 50 per language | Mix of libraries, frameworks |
| SBOM | 100 images | All major ecosystems |
| CVE Detection | 500 CVEs | Mix of severities, ages |
| Performance | 10 reference images | Various sizes |
### Measurement Process
```
1. Select ground truth corpus
└── Minimum samples per category
└── Representative of production workloads
2. Run scanner with deterministic manifest
└── Fixed advisory database version
└── Reproducible configuration
3. Compare results to ground truth
└── Automated diff tooling
└── Manual review of discrepancies
4. Compute metrics per category
└── Generate confusion matrices
└── Calculate precision/recall/F1
5. Aggregate and publish
└── Per-ecosystem breakdown
└── Overall summary metrics
└── Trend analysis
```
---
## Reporting Format
### Quarterly Benchmark Report
```json
{
"report_version": "1.0",
"scanner_version": "1.3.0",
"report_date": "2025-12-14",
"ground_truth_version": "2025-Q4",
"reachability": {
"overall": {
"precision": 0.91,
"recall": 0.86,
"f1": 0.88,
"samples": 450
},
"by_language": {
"java": {"precision": 0.93, "recall": 0.88, "f1": 0.90, "samples": 100},
"csharp": {"precision": 0.90, "recall": 0.85, "f1": 0.87, "samples": 80},
"go": {"precision": 0.89, "recall": 0.83, "f1": 0.86, "samples": 70}
}
},
"sbom": {
"component_recall": 0.98,
"component_precision": 0.99,
"version_accuracy": 0.96
},
"vulnerability": {
"cve_recall": 0.96,
"cve_precision": 0.98,
"false_positive_rate": 0.02
},
"lattice_states": {
"cr_accuracy": 0.96,
"sr_accuracy": 0.91,
"su_accuracy": 0.87
}
}
```
---
## Regression Detection
### Thresholds
A regression is flagged when:
| Metric | Regression Threshold | Action |
|--------|---------------------|--------|
| Precision | > 3% decrease | Block release |
| Recall | > 5% decrease | Block release |
| F1 | > 4% decrease | Block release |
| FPR | > 2% increase | Block release |
| Any metric | > 1% change | Investigate |
### CI Integration
```yaml
# .gitea/workflows/accuracy-check.yml
accuracy-benchmark:
runs-on: ubuntu-latest
steps:
- name: Run accuracy benchmark
run: make benchmark-accuracy
- name: Check for regressions
run: |
stellaops benchmark compare \
--baseline results/baseline.json \
--current results/current.json \
--threshold-precision 0.03 \
--threshold-recall 0.05 \
--fail-on-regression
```
---
## Ground Truth Sources
### Internal
- `datasets/reachability/samples/` - Reachability ground truth
- `datasets/sbom/reference/` - Known-good SBOMs
- `bench/findings/` - CVE finding ground truth
### External
- **NIST SARD** - Software Assurance Reference Dataset
- **OSV Test Suite** - Open Source Vulnerability test cases
- **OWASP Benchmark** - Security testing benchmark
- **Juliet Test Suite** - CWE coverage testing
---
## Improvement Tracking
### Gap Analysis
Identify and prioritize accuracy improvements:
| Gap | Current | Target | Priority | Improvement Plan |
|-----|---------|--------|----------|------------------|
| Python recall | 73% | 78% | High | Improve type inference |
| npm precision | 96% | 98% | Medium | Fix aliasing issues |
| Version accuracy | 94% | 96% | Medium | Better version parsing |
### Quarterly Goals
Track progress against improvement targets:
| Quarter | Focus Area | Metric | Target | Actual |
|---------|------------|--------|--------|--------|
| Q4 2025 | Java reachability | Recall | 88% | TBD |
| Q1 2026 | Python support | F1 | 80% | TBD |
| Q1 2026 | SBOM completeness | Recall | 99% | TBD |
---
## References
- [FIRST CVSS v4.0 Specification](https://www.first.org/cvss/v4.0/specification-document)
- [NIST NVD API](https://nvd.nist.gov/developers)
- [OSV Schema](https://ossf.github.io/osv-schema/)
- [StellaOps Reachability Architecture](../modules/scanner/reachability.md)

191
docs/benchmarks/fidelity-metrics.md Normal file
View File

@@ -0,0 +1,191 @@
# Fidelity Metrics Framework
> Sprint: SPRINT_3403_0001_0001_fidelity_metrics
This document describes the three-tier fidelity metrics framework for measuring deterministic reproducibility in StellaOps scanner outputs.
## Overview
Fidelity metrics quantify how consistently the scanner produces outputs across replay runs. The framework provides three tiers of measurement, each capturing different aspects of reproducibility:
| Metric | Abbrev. | Description | Target |
|--------|---------|-------------|--------|
| Bitwise Fidelity | BF | Byte-for-byte identical outputs | ≥ 0.98 |
| Semantic Fidelity | SF | Normalized object equivalence | ≥ 0.99 |
| Policy Fidelity | PF | Policy decision consistency | ≈ 1.0 |
## Metric Definitions
### Bitwise Fidelity (BF)
Measures the proportion of replay runs that produce byte-for-byte identical outputs.
```
BF = identical_outputs / total_replays
```
**What it captures:**
- SHA-256 hash equivalence of all output artifacts
- Timestamp consistency
- JSON formatting consistency
- Field ordering consistency
**When BF < 1.0:**
- Timestamps embedded in outputs
- Non-deterministic field ordering
- Floating-point rounding differences
- Random identifiers (UUIDs)
### Semantic Fidelity (SF)
Measures the proportion of replay runs that produce semantically equivalent outputs, ignoring formatting differences.
```
SF = semantic_matches / total_replays
```
**What it compares:**
- Package PURLs and versions
- CVE identifiers
- Severity levels (normalized to uppercase)
- VEX verdicts
- Reason codes
**When SF < 1.0 but BF = SF:**
- No actual content differences
- Only formatting differences
**When SF < 1.0:**
- Different packages detected
- Different CVEs matched
- Different severity assignments
### Policy Fidelity (PF)
Measures the proportion of replay runs that produce matching policy decisions.
```
PF = policy_matches / total_replays
```
**What it compares:**
- Final pass/fail decision
- Reason codes (sorted for comparison)
- Policy rule triggering
**When PF < 1.0:**
- Policy outcome differs between runs
- Indicates a non-determinism bug that affects user-visible decisions
## Prometheus Metrics
The fidelity framework exports the following metrics:
| Metric Name | Type | Labels | Description |
|-------------|------|--------|-------------|
| `fidelity_bitwise_ratio` | Gauge | tenant_id, surface_id | Bitwise fidelity ratio |
| `fidelity_semantic_ratio` | Gauge | tenant_id, surface_id | Semantic fidelity ratio |
| `fidelity_policy_ratio` | Gauge | tenant_id, surface_id | Policy fidelity ratio |
| `fidelity_total_replays` | Gauge | tenant_id, surface_id | Number of replays |
| `fidelity_slo_breach_total` | Counter | breach_type, tenant_id | SLO breach count |
## SLO Thresholds
Default SLO thresholds (configurable):
| Metric | Warning | Critical |
|--------|---------|----------|
| Bitwise Fidelity | < 0.98 | < 0.90 |
| Semantic Fidelity | < 0.99 | < 0.95 |
| Policy Fidelity | < 1.0 | < 0.99 |
## Integration with DeterminismReport
Fidelity metrics are integrated into the `DeterminismReport` record:
```csharp
public sealed record DeterminismReport(
// ... existing fields ...
FidelityMetrics? Fidelity = null);
public sealed record DeterminismImageReport(
// ... existing fields ...
FidelityMetrics? Fidelity = null);
```
## Usage Example
```csharp
// Create fidelity metrics service
var service = new FidelityMetricsService(
new BitwiseFidelityCalculator(),
new SemanticFidelityCalculator(),
new PolicyFidelityCalculator());
// Compute fidelity from baseline and replays
var baseline = LoadScanResult("scan-baseline.json");
var replays = LoadReplayScanResults();
var fidelity = service.Compute(baseline, replays);
// Check thresholds
if (fidelity.BitwiseFidelity < 0.98)
{
logger.LogWarning("BF below threshold: {BF}", fidelity.BitwiseFidelity);
}
// Include in determinism report
var report = new DeterminismReport(
// ... other fields ...
Fidelity: fidelity);
```
## Mismatch Diagnostics
When fidelity is below threshold, the framework provides diagnostic information:
```csharp
public sealed record FidelityMismatch
{
public required int RunIndex { get; init; }
public required FidelityMismatchType Type { get; init; }
public required string Description { get; init; }
public IReadOnlyList<string>? AffectedArtifacts { get; init; }
}
public enum FidelityMismatchType
{
BitwiseOnly, // Hash differs but content equivalent
SemanticOnly, // Content differs but policy matches
PolicyDrift // Policy decision differs
}
```
## Configuration
Configure fidelity options via `FidelityThresholds`:
```json
{
"Fidelity": {
"BitwiseThreshold": 0.98,
"SemanticThreshold": 0.99,
"PolicyThreshold": 1.0,
"EnableDiagnostics": true,
"MaxMismatchesRecorded": 100
}
}
```
## Related Documentation
- [Determinism and Reproducibility Technical Reference](../product-advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md)
- [Determinism Scoring Foundations Sprint](../implplan/SPRINT_3401_0001_0001_determinism_scoring_foundations.md)
- [Scanner Architecture](../modules/scanner/architecture.md)
## Source Files
- `src/Scanner/StellaOps.Scanner.Worker/Determinism/FidelityMetrics.cs`
- `src/Scanner/StellaOps.Scanner.Worker/Determinism/FidelityMetricsService.cs`
- `src/Scanner/StellaOps.Scanner.Worker/Determinism/Calculators/`
- `src/Telemetry/StellaOps.Telemetry.Core/FidelityMetricsTelemetry.cs`
- `src/Telemetry/StellaOps.Telemetry.Core/FidelitySloAlertingService.cs`

251
docs/benchmarks/ground-truth-corpus.md Normal file
View File

@@ -0,0 +1,251 @@
# Ground-Truth Corpus Specification
> **Version**: 1.0.0
> **Last Updated**: 2025-12-17
> **Source Advisory**: 16-Dec-2025 - Building a Deeper Moat Beyond Reachability
This document specifies the ground-truth corpus for benchmarking StellaOps' binary-only reachability analysis and deterministic scoring.
---
## Overview
A ground-truth corpus is a curated set of binaries with **known** reachable and unreachable vulnerable sinks. It enables:
- Precision/recall measurement for reachability claims
- Regression detection in CI
- Deterministic replay validation
---
## Corpus Structure
### Sample Requirements
Each sample binary must include:
- **Manifest file**: `sample.manifest.json` with ground-truth annotations
- **Binary file**: The target executable (ELF/PE/Mach-O)
- **Source (optional)**: Original source for reproducibility verification
### Manifest Schema
```json
{
"$schema": "https://stellaops.io/schemas/corpus-sample.v1.json",
"sampleId": "gt-0001",
"name": "vulnerable-sink-reachable-from-main",
"format": "elf64",
"arch": "x86_64",
"compiler": "gcc-13.2",
"compilerFlags": ["-O2", "-fPIE"],
"stripped": false,
"obfuscation": "none",
"pie": true,
"cfi": false,
"sinks": [
{
"sinkId": "sink-001",
"signature": "vulnerable_function(char*)",
"address": "0x401234",
"cveId": "CVE-2024-XXXXX",
"expected": "reachable",
"expectedPaths": [
["main", "process_input", "parse_data", "vulnerable_function"]
],
"expectedUnreachableReasons": null
},
{
"sinkId": "sink-002",
"signature": "dead_code_vulnerable()",
"address": "0x402000",
"cveId": "CVE-2024-YYYYY",
"expected": "unreachable",
"expectedPaths": null,
"expectedUnreachableReasons": ["no-caller", "dead-code-elimination"]
}
],
"entrypoints": [
{"name": "main", "address": "0x401000"},
{"name": "_start", "address": "0x400ff0"}
],
"metadata": {
"createdAt": "2025-12-17T00:00:00Z",
"author": "StellaOps QA Guild",
"notes": "Basic reachability test with one true positive and one true negative"
}
}
```
---
## Starter Corpus (20 Samples)
### Category A: Reachable Sinks (10 samples)
| ID | Description | Format | Stripped | Obfuscation | Expected |
|----|-------------|--------|----------|-------------|----------|
| gt-0001 | Direct call from main | ELF64 | No | None | Reachable |
| gt-0002 | Indirect call via function pointer | ELF64 | No | None | Reachable |
| gt-0003 | Reachable through PLT/GOT | ELF64 | No | None | Reachable |
| gt-0004 | Reachable via vtable dispatch | ELF64 | No | None | Reachable |
| gt-0005 | Reachable with stripped symbols | ELF64 | Yes | None | Reachable |
| gt-0006 | Reachable with partial obfuscation | ELF64 | No | Control-flow | Reachable |
| gt-0007 | Reachable in PIE binary | ELF64 | No | None | Reachable |
| gt-0008 | Reachable in ASLR context | ELF64 | No | None | Reachable |
| gt-0009 | Reachable through shared library | ELF64 | No | None | Reachable |
| gt-0010 | Reachable via callback registration | ELF64 | No | None | Reachable |
### Category B: Unreachable Sinks (10 samples)
| ID | Description | Format | Stripped | Obfuscation | Expected Reason |
|----|-------------|--------|----------|-------------|-----------------|
| gt-0011 | Dead code (never called) | ELF64 | No | None | no-caller |
| gt-0012 | Guarded by impossible condition | ELF64 | No | None | dead-branch |
| gt-0013 | Linked but not used | ELF64 | No | None | unused-import |
| gt-0014 | Behind disabled feature flag | ELF64 | No | None | config-disabled |
| gt-0015 | Requires privilege escalation | ELF64 | No | None | privilege-gate |
| gt-0016 | Behind authentication check | ELF64 | No | None | auth-gate |
| gt-0017 | Unreachable with CFI enabled | ELF64 | No | None | cfi-prevented |
| gt-0018 | Optimized away by compiler | ELF64 | No | None | dce-eliminated |
| gt-0019 | In unreachable exception handler | ELF64 | No | None | exception-only |
| gt-0020 | Test-only code not in production | ELF64 | No | None | test-code-only |
---
## Metrics
### Primary Metrics
| Metric | Definition | Target |
|--------|------------|--------|
| **Precision** | TP / (TP + FP) | ≥ 95% |
| **Recall** | TP / (TP + FN) | ≥ 90% |
| **F1 Score** | 2 × (Precision × Recall) / (Precision + Recall) | ≥ 92% |
| **TTFRP** | Time-to-First-Reachable-Path (ms) | p95 < 500ms |
| **Deterministic Replay** | Identical proofs across runs | 100% |
### Regression Gates
CI gates that **fail the build**:
- Precision drops > 1.0 percentage point vs baseline
- Recall drops > 1.0 percentage point vs baseline
- Deterministic replay drops below 100%
- TTFRP p95 increases > 20% vs baseline
---
## CI Integration
### Benchmark Job
```yaml
# .gitea/workflows/reachability-bench.yaml
name: Reachability Benchmark
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 2 * * *' # Nightly
jobs:
benchmark:
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
- name: Run corpus benchmark
run: |
stellaops bench run \
--corpus datasets/reachability/ground-truth/ \
--output bench/results/$(date +%Y%m%d).json \
--baseline bench/baselines/current.json
- name: Check regression gates
run: |
stellaops bench check \
--results bench/results/$(date +%Y%m%d).json \
--baseline bench/baselines/current.json \
--precision-threshold 0.95 \
--recall-threshold 0.90 \
--determinism-threshold 1.0
- name: Post results to PR
if: github.event_name == 'pull_request'
run: |
stellaops bench report \
--results bench/results/$(date +%Y%m%d).json \
--baseline bench/baselines/current.json \
--format markdown > bench-report.md
# Post to PR via API
```
### Result Schema
```json
{
"runId": "bench-20251217-001",
"timestamp": "2025-12-17T02:00:00Z",
"corpusVersion": "1.0.0",
"scannerVersion": "1.3.0",
"metrics": {
"precision": 0.96,
"recall": 0.91,
"f1": 0.935,
"ttfrp_p50_ms": 120,
"ttfrp_p95_ms": 380,
"deterministicReplay": 1.0
},
"samples": [
{
"sampleId": "gt-0001",
"sinkId": "sink-001",
"expected": "reachable",
"actual": "reachable",
"pathFound": ["main", "process_input", "parse_data", "vulnerable_function"],
"proofHash": "sha256:abc123...",
"ttfrpMs": 95
}
],
"regressions": [],
"improvements": []
}
```
---
## Corpus Maintenance
### Adding New Samples
1. Create sample binary with known sink reachability
2. Write `sample.manifest.json` with ground-truth annotations
3. Place in `datasets/reachability/ground-truth/{category}/`
4. Update corpus version in `datasets/reachability/corpus.json`
5. Run baseline update: `stellaops bench baseline update`
### Updating Baselines
When scanner improvements are validated:
```bash
stellaops bench baseline update \
--results bench/results/latest.json \
--output bench/baselines/current.json
```
### Sample Categories
- `basic/` — Simple direct call chains
- `indirect/` — Function pointers, vtables, callbacks
- `stripped/` — Symbol-stripped binaries
- `obfuscated/` — Control-flow obfuscation, packing
- `guarded/` — Config/auth/privilege guards
- `multiarch/` — ARM64, x86, RISC-V variants
---
## Related Documentation
- [Reachability Analysis Technical Reference](../product-advisories/14-Dec-2025%20-%20Reachability%20Analysis%20Technical%20Reference.md)
- [Determinism and Reproducibility Technical Reference](../product-advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md)
- [Scanner Benchmark Submission Guide](submission-guide.md)

355
docs/benchmarks/performance-baselines.md Normal file
View File

@@ -0,0 +1,355 @@
# Performance Baselines
## Overview
This document defines performance baselines for StellaOps scanner operations. All metrics are measured against reference images and workloads to ensure consistent, reproducible benchmarks.
**Last Updated:** 2025-12-14
**Next Review:** 2026-03-14
---
## Reference Images
Standard images used for performance benchmarking:
| Image | Size | Components | Expected Vulns | Category |
|-------|------|------------|----------------|----------|
| `alpine:3.19` | 7MB | ~15 | ~5 | Minimal |
| `debian:12-slim` | 75MB | ~90 | ~40 | Minimal |
| `ubuntu:22.04` | 77MB | ~100 | ~50 | Standard |
| `node:20-alpine` | 180MB | ~200 | ~100 | Application |
| `python:3.12` | 1GB | ~300 | ~150 | Application |
| `mcr.microsoft.com/dotnet/aspnet:8.0` | 220MB | ~150 | ~75 | Application |
| `nginx:1.25` | 190MB | ~120 | ~60 | Application |
| `postgres:16-alpine` | 240MB | ~140 | ~70 | Database |
---
## Scan Performance Targets
### Container Image Scanning
| Image Category | P50 Time | P95 Time | Max Memory | CPU Cores |
|---------------|----------|----------|------------|-----------|
| Minimal (<100MB) | < 5s | < 10s | < 256MB | 1 |
| Standard (100-500MB) | < 15s | < 30s | < 512MB | 2 |
| Large (500MB-2GB) | < 45s | < 90s | < 1.5GB | 2 |
| Very Large (>2GB) | < 120s | < 240s | < 2GB | 4 |
### Per-Image Targets
| Image | P50 Time | P95 Time | Max Memory |
|-------|----------|----------|------------|
| alpine:3.19 | < 3s | < 8s | < 200MB |
| debian:12-slim | < 8s | < 15s | < 300MB |
| ubuntu:22.04 | < 10s | < 20s | < 400MB |
| node:20-alpine | < 20s | < 40s | < 600MB |
| python:3.12 | < 35s | < 70s | < 1.2GB |
| dotnet/aspnet:8.0 | < 25s | < 50s | < 800MB |
| nginx:1.25 | < 18s | < 35s | < 500MB |
| postgres:16-alpine | < 22s | < 45s | < 600MB |
---
## Reachability Analysis Targets
### By Codebase Size
| Codebase Size | P50 Time | P95 Time | Memory | Notes |
|---------------|----------|----------|--------|-------|
| Tiny (<5k LOC) | < 10s | < 20s | < 256MB | Single service |
| Small (5-20k LOC) | < 30s | < 60s | < 512MB | Small service |
| Medium (20-50k LOC) | < 2min | < 4min | < 1GB | Typical microservice |
| Large (50-100k LOC) | < 5min | < 10min | < 2GB | Large service |
| Very Large (100-500k LOC) | < 15min | < 30min | < 4GB | Monolith |
| Monorepo (>500k LOC) | < 45min | < 90min | < 8GB | Enterprise monorepo |
### By Language
| Language | Relative Speed | Notes |
|----------|---------------|-------|
| Go | 1.0x (baseline) | Fast due to simple module system |
| Java | 1.2x | Maven/Gradle resolution adds overhead |
| C# | 1.3x | MSBuild/NuGet resolution |
| TypeScript | 1.5x | npm/yarn resolution, complex imports |
| Python | 1.8x | Virtual env resolution, dynamic imports |
| JavaScript | 2.0x | Complex bundler configurations |
---
## SBOM Generation Targets
| Format | P50 Time | P95 Time | Output Size | Notes |
|--------|----------|----------|-------------|-------|
| CycloneDX 1.6 (JSON) | < 1s | < 3s | ~50KB/100 components | Standard |
| CycloneDX 1.6 (XML) | < 1.5s | < 4s | ~80KB/100 components | Verbose |
| SPDX 3.0.1 (JSON) | < 1s | < 3s | ~60KB/100 components | Standard |
| SPDX 3.0.1 (Tag-Value) | < 1.2s | < 3.5s | ~70KB/100 components | Legacy format |
### Combined Operations
| Operation | P50 Time | P95 Time |
|-----------|----------|----------|
| Scan + SBOM | scan_time + 1s | scan_time + 3s |
| Scan + SBOM + Reachability | scan_time + reach_time + 2s | scan_time + reach_time + 5s |
| Full attestation pipeline | total_time + 2s | total_time + 5s |
---
## VEX Processing Targets
| Operation | P50 Time | P95 Time | Notes |
|-----------|----------|----------|-------|
| VEX document parsing | < 50ms | < 150ms | Per document |
| Lattice state computation | < 100ms | < 300ms | Per 100 vulnerabilities |
| VEX consensus merge | < 200ms | < 500ms | 3-5 sources |
| State transition | < 10ms | < 30ms | Single transition |
---
## CVSS Scoring Targets
| Operation | P50 Time | P95 Time | Notes |
|-----------|----------|----------|-------|
| MacroVector lookup | < 1μs | < 5μs | Dictionary lookup |
| CVSS v4.0 base score | < 10μs | < 50μs | Full computation |
| CVSS v4.0 full score | < 20μs | < 100μs | Base + threat + env |
| Vector parsing | < 5μs | < 20μs | String parsing |
| Receipt generation | < 100μs | < 500μs | Includes hashing |
| Batch scoring (100 vulns) | < 5ms | < 15ms | Parallel processing |
---
## Attestation Targets
| Operation | P50 Time | P95 Time | Notes |
|-----------|----------|----------|-------|
| DSSE envelope creation | < 50ms | < 150ms | Includes signing |
| DSSE verification | < 30ms | < 100ms | Signature check |
| Rekor submission | < 500ms | < 2s | Network dependent |
| Rekor verification | < 300ms | < 1s | Network dependent |
| in-toto predicate | < 20ms | < 80ms | JSON serialization |
---
## Database Operation Targets
| Operation | P50 Time | P95 Time | Notes |
|-----------|----------|----------|-------|
| Receipt insert | < 5ms | < 20ms | Single record |
| Receipt query (by ID) | < 2ms | < 10ms | Indexed lookup |
| Receipt query (by tenant) | < 10ms | < 50ms | Index scan |
| EPSS lookup (single) | < 1ms | < 5ms | Indexed |
| EPSS lookup (batch 100) | < 10ms | < 50ms | Batch query |
| Risk score insert | < 5ms | < 20ms | Single record |
| Risk score update | < 3ms | < 15ms | Single record |
---
## Regression Thresholds
Performance regression is detected when metrics exceed these thresholds compared to baseline:
| Metric | Warning Threshold | Blocking Threshold | Action |
|--------|------------------|-------------------|--------|
| P50 Time | > 15% increase | > 25% increase | Block release |
| P95 Time | > 20% increase | > 35% increase | Block release |
| Memory Usage | > 20% increase | > 30% increase | Block release |
| CPU Time | > 15% increase | > 25% increase | Investigate |
| Throughput | > 10% decrease | > 20% decrease | Block release |
### Regression Detection Rules
1. **Warning**: Alert engineering team, add to release notes
2. **Blocking**: Cannot merge/release until resolved or waived
3. **Waiver**: Requires documented justification and SME approval
---
## Measurement Methodology
### Environment Setup
```bash
# Standard test environment
# - CPU: 8 cores (x86_64)
# - Memory: 16GB RAM
# - Storage: NVMe SSD
# - OS: Ubuntu 22.04 LTS
# - Docker: 24.x
# Clear caches before cold start tests
docker system prune -af
sync && echo 3 > /proc/sys/vm/drop_caches
```
### Scan Performance
```bash
# Cold start measurement
time stellaops scan --image alpine:3.19 --format json > /dev/null
# Warm cache measurement (run 3x, take average)
for i in {1..3}; do
time stellaops scan --image alpine:3.19 --format json > /dev/null
done
# Memory profiling
/usr/bin/time -v stellaops scan --image alpine:3.19 --format json 2>&1 | \
grep "Maximum resident set size"
# CPU profiling
perf stat stellaops scan --image alpine:3.19 --format json > /dev/null
```
### Reachability Analysis
```bash
# Time measurement
time stellaops reach --project ./src --language csharp --out reach.json
# Memory profiling
/usr/bin/time -v stellaops reach --project ./src --language csharp --out reach.json 2>&1
# With detailed timing
stellaops reach --project ./src --language csharp --out reach.json --timing
```
### SBOM Generation
```bash
# Time measurement
time stellaops sbom --image node:20-alpine --format cyclonedx --out sbom.json
# Output size
stellaops sbom --image node:20-alpine --format cyclonedx --out sbom.json && \
ls -lh sbom.json
```
### Batch Operations
```bash
# Process multiple images in parallel
time stellaops scan --images images.txt --parallel 4 --format json --out-dir ./results
# Throughput test (images per minute)
START=$(date +%s)
for i in {1..10}; do
stellaops scan --image alpine:3.19 --format json > /dev/null
done
END=$(date +%s)
echo "Throughput: $(( 10 * 60 / (END - START) )) images/minute"
```
---
## CI Integration
### Benchmark Workflow
```yaml
# .gitea/workflows/performance-benchmark.yml
name: Performance Benchmark
on:
pull_request:
branches: [main]
schedule:
- cron: '0 2 * * 1' # Weekly Monday 2am
jobs:
benchmark:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run benchmarks
run: make benchmark-performance
- name: Check for regressions
run: |
stellaops benchmark compare \
--baseline results/baseline.json \
--current results/current.json \
--threshold-p50 0.15 \
--threshold-p95 0.20 \
--threshold-memory 0.20 \
--fail-on-regression
- name: Upload results
uses: actions/upload-artifact@v4
with:
name: benchmark-results
path: results/
```
### Local Testing
```bash
# Run full benchmark suite
make benchmark-performance
# Run specific image benchmark
make benchmark-image IMAGE=alpine:3.19
# Generate baseline
make benchmark-baseline
# Compare against baseline
make benchmark-compare
```
---
## Optimization Guidelines
### For Scan Performance
1. **Pre-pull images** for consistent timing
2. **Use layered caching** for repeat scans
3. **Enable parallel analysis** for multi-ecosystem images
4. **Consider selective scanning** for known-safe layers
### For Reachability
1. **Incremental analysis** for unchanged files
2. **Cache resolved dependencies**
3. **Use language-specific optimizations** (e.g., Roslyn for C#)
4. **Limit call graph depth** for very large codebases
### For Memory
1. **Stream large SBOMs** instead of loading fully
2. **Use batched database operations**
3. **Release intermediate data structures early**
4. **Configure GC appropriately for workload**
---
## Historical Baselines
### Version History
| Version | Date | P50 Scan (alpine) | P50 Reach (50k LOC) | Notes |
|---------|------|-------------------|---------------------|-------|
| 1.3.0 | 2025-12-14 | TBD | TBD | Current |
| 1.2.0 | 2025-09-01 | TBD | TBD | Previous |
| 1.1.0 | 2025-06-01 | TBD | TBD | Baseline |
### Improvement Targets
| Quarter | Focus Area | Target | Status |
|---------|------------|--------|--------|
| Q1 2026 | Scan cold start | -20% | Planned |
| Q1 2026 | Reachability memory | -15% | Planned |
| Q2 2026 | SBOM generation | -10% | Planned |
---
## References
- [Accuracy Metrics Framework](accuracy-metrics-framework.md)
- [Benchmark Submission Guide](submission-guide.md) (pending)
- [Scanner Architecture](../modules/scanner/architecture.md)
- [Reachability Module](../modules/scanner/reachability.md)

20
docs/benchmarks/scanner-feature-comparison-grype.md
View File

@@ -2,6 +2,24 @@
_Reference snapshot: Grype commit `6e746a546ecca3e2456316551673357e4a166d77` cloned 2025-11-02._ _Reference snapshot: Grype commit `6e746a546ecca3e2456316551673357e4a166d77` cloned 2025-11-02._
## Verification Metadata
| Field | Value |
|-------|-------|
| **Last Updated** | 2025-12-15 |
| **Last Verified** | 2025-12-14 |
| **Next Review** | 2026-03-14 |
| **Claims Index** | [`docs/market/claims-citation-index.md`](../market/claims-citation-index.md) |
| **Claim IDs** | COMP-GRYPE-001, COMP-GRYPE-002, COMP-GRYPE-003 |
| **Verification Method** | Source code audit (OSS), documentation review, feature testing |
**Confidence Levels:**
- **High (80-100%)**: Verified against source code or authoritative documentation
- **Medium (50-80%)**: Based on documentation or limited testing; needs deeper verification
- **Low (<50%)**: Unverified or based on indirect evidence; requires validation
---
## TL;DR ## TL;DR
- StellaOps runs as a multi-service platform with deterministic SBOM generation, attestation (DSSE + Rekor), and tenant-aware controls, whereas Grype is a single Go CLI that leans on Syft to build SBOMs before vulnerability matching.[1](#sources)[g1](#grype-sources) - StellaOps runs as a multi-service platform with deterministic SBOM generation, attestation (DSSE + Rekor), and tenant-aware controls, whereas Grype is a single Go CLI that leans on Syft to build SBOMs before vulnerability matching.[1](#sources)[g1](#grype-sources)
- Grype covers a broad OS and language matrix via Syft catalogers and Anchores aggregated vulnerability database, but it lacks attestation, runtime usage context, and secret management features found in StellaOps Surface/Policy ecosystem.[1](#sources)[g2](#grype-sources)[g3](#grype-sources) - Grype covers a broad OS and language matrix via Syft catalogers and Anchores aggregated vulnerability database, but it lacks attestation, runtime usage context, and secret management features found in StellaOps Surface/Policy ecosystem.[1](#sources)[g2](#grype-sources)[g3](#grype-sources)
@@ -11,7 +29,7 @@ _Reference snapshot: Grype commit `6e746a546ecca3e2456316551673357e4a166d77` clo
| Dimension | StellaOps Scanner | Grype | | Dimension | StellaOps Scanner | Grype |
| --- | --- | --- | | --- | --- | --- |
| Architecture & deployment | WebService + Worker services, queue backbones, RustFS/S3 artifact store, Mongo catalog, Authority-issued OpToks, Surface libraries, restart-only analyzers.[1](#sources)[3](#sources)[4](#sources)[5](#sources) | Go CLI that invokes Syft to construct an SBOM from images/filesystems and feeds Syfts packages into Anchore matchers; optional SBOM ingest via `syft`/`sbom` inputs.[g1](#grype-sources) | | Architecture & deployment | WebService + Worker services, queue backbones, RustFS/S3 artifact store, PostgreSQL catalog, Authority-issued OpToks, Surface libraries, restart-only analyzers.[1](#sources)[3](#sources)[4](#sources)[5](#sources) | Go CLI that invokes Syft to construct an SBOM from images/filesystems and feeds Syft's packages into Anchore matchers; optional SBOM ingest via `syft`/`sbom` inputs.[g1](#grype-sources) |
| Scan targets & coverage | Container images & filesystem captures; analyzers for APK/DPKG/RPM, Java/Node/Python/Go/.NET/Rust, native ELF, EntryTrace usage graph (PE/Mach-O roadmap).[1](#sources) | Images, directories, archives, and SBOMs; OS feeds include Alpine, Ubuntu, RHEL, SUSE, Wolfi, etc., and language support spans Ruby, Java, JavaScript, Python, .NET, Go, PHP, Rust.[g2](#grype-sources) | | Scan targets & coverage | Container images & filesystem captures; analyzers for APK/DPKG/RPM, Java/Node/Python/Go/.NET/Rust, native ELF, EntryTrace usage graph (PE/Mach-O roadmap).[1](#sources) | Images, directories, archives, and SBOMs; OS feeds include Alpine, Ubuntu, RHEL, SUSE, Wolfi, etc., and language support spans Ruby, Java, JavaScript, Python, .NET, Go, PHP, Rust.[g2](#grype-sources) |
| Evidence & outputs | CycloneDX JSON/Protobuf, SPDX 3.0.1, deterministic diffs, BOM-index sidecar, explain traces, DSSE-ready report metadata.[1](#sources)[2](#sources) | Outputs table, JSON, CycloneDX (XML/JSON), SARIF, and templated formats; evidence tied to Syft SBOM and JSON report (no deterministic replay artifacts).[g4](#grype-sources) | | Evidence & outputs | CycloneDX JSON/Protobuf, SPDX 3.0.1, deterministic diffs, BOM-index sidecar, explain traces, DSSE-ready report metadata.[1](#sources)[2](#sources) | Outputs table, JSON, CycloneDX (XML/JSON), SARIF, and templated formats; evidence tied to Syft SBOM and JSON report (no deterministic replay artifacts).[g4](#grype-sources) |
| Attestation & supply chain | DSSE signing via Signer Attestor Rekor v2, OpenVEX-first modelling, policy overlays, provenance digests.[1](#sources) | Supports ingesting OpenVEX for filtering but ships no signing/attestation workflow; relies on external tooling for provenance.[g2](#grype-sources) | | Attestation & supply chain | DSSE signing via Signer Attestor Rekor v2, OpenVEX-first modelling, policy overlays, provenance digests.[1](#sources) | Supports ingesting OpenVEX for filtering but ships no signing/attestation workflow; relies on external tooling for provenance.[g2](#grype-sources) |

20
docs/benchmarks/scanner-feature-comparison-snyk.md
View File

@@ -2,6 +2,24 @@
_Reference snapshot: Snyk CLI commit `7ae3b11642d143b588016d4daef0a6ddaddb792b` cloned 2025-11-02._ _Reference snapshot: Snyk CLI commit `7ae3b11642d143b588016d4daef0a6ddaddb792b` cloned 2025-11-02._
## Verification Metadata
| Field | Value |
|-------|-------|
| **Last Updated** | 2025-12-15 |
| **Last Verified** | 2025-12-14 |
| **Next Review** | 2026-03-14 |
| **Claims Index** | [`docs/market/claims-citation-index.md`](../market/claims-citation-index.md) |
| **Claim IDs** | COMP-SNYK-001, COMP-SNYK-002, COMP-SNYK-003 |
| **Verification Method** | Source code audit (OSS), documentation review, feature testing |
**Confidence Levels:**
- **High (80-100%)**: Verified against source code or authoritative documentation
- **Medium (50-80%)**: Based on documentation or limited testing; needs deeper verification
- **Low (<50%)**: Unverified or based on indirect evidence; requires validation
---
## TL;DR ## TL;DR
- StellaOps delivers a self-hosted, multi-service scanning plane with deterministic SBOMs, attestation (DSSE + Rekor), and tenant-aware Surface controls, while the Snyk CLI is a Node.js tool that authenticates against Snyks SaaS to analyse dependency graphs, containers, IaC, and code.[1](#sources)[s1](#snyk-sources) - StellaOps delivers a self-hosted, multi-service scanning plane with deterministic SBOMs, attestation (DSSE + Rekor), and tenant-aware Surface controls, while the Snyk CLI is a Node.js tool that authenticates against Snyks SaaS to analyse dependency graphs, containers, IaC, and code.[1](#sources)[s1](#snyk-sources)
- Snyks plugin ecosystem covers many package managers (npm, yarn, pnpm, Maven, Gradle, NuGet, Go modules, Composer, etc.) and routes scans through Snyks cloud for policy, reporting, and fix advice; however it lacks offline operation, deterministic evidence, and attestation workflows that StellaOps provides out of the box.[1](#sources)[s1](#snyk-sources)[s2](#snyk-sources) - Snyks plugin ecosystem covers many package managers (npm, yarn, pnpm, Maven, Gradle, NuGet, Go modules, Composer, etc.) and routes scans through Snyks cloud for policy, reporting, and fix advice; however it lacks offline operation, deterministic evidence, and attestation workflows that StellaOps provides out of the box.[1](#sources)[s1](#snyk-sources)[s2](#snyk-sources)
@@ -11,7 +29,7 @@ _Reference snapshot: Snyk CLI commit `7ae3b11642d143b588016d4daef0a6ddaddb792b`
| Dimension | StellaOps Scanner | Snyk CLI | | Dimension | StellaOps Scanner | Snyk CLI |
| --- | --- | --- | | --- | --- | --- |
| Architecture & deployment | WebService + Worker services, queue backbone, RustFS/S3 artifact store, Mongo catalog, Authority-issued OpToks, Surface libs, restart-only analyzers.[1](#sources)[3](#sources)[4](#sources)[5](#sources) | Node.js CLI; users authenticate (`snyk auth`) and run commands (`snyk test`, `snyk monitor`, `snyk container test`) that upload project metadata to Snyks SaaS for analysis.[s2](#snyk-sources) | | Architecture & deployment | WebService + Worker services, queue backbone, RustFS/S3 artifact store, PostgreSQL catalog, Authority-issued OpToks, Surface libs, restart-only analyzers.[1](#sources)[3](#sources)[4](#sources)[5](#sources) | Node.js CLI; users authenticate (`snyk auth`) and run commands (`snyk test`, `snyk monitor`, `snyk container test`) that upload project metadata to Snyk's SaaS for analysis.[s2](#snyk-sources) |
| Scan targets & coverage | Container images/filesystems, analyzers for APK/DPKG/RPM, Java/Node/Python/Go/.NET/Rust, native ELF, EntryTrace usage graph.[1](#sources) | Supports Snyk Open Source, Container, Code (SAST), and IaC; plugin loader dispatches npm/yarn/pnpm, Maven/Gradle/SBT, pip/poetry, Go modules, NuGet/Paket, Composer, CocoaPods, Hex, SwiftPM.[s1](#snyk-sources)[s2](#snyk-sources) | | Scan targets & coverage | Container images/filesystems, analyzers for APK/DPKG/RPM, Java/Node/Python/Go/.NET/Rust, native ELF, EntryTrace usage graph.[1](#sources) | Supports Snyk Open Source, Container, Code (SAST), and IaC; plugin loader dispatches npm/yarn/pnpm, Maven/Gradle/SBT, pip/poetry, Go modules, NuGet/Paket, Composer, CocoaPods, Hex, SwiftPM.[s1](#snyk-sources)[s2](#snyk-sources) |
| Evidence & outputs | CycloneDX JSON/Protobuf, SPDX 3.0.1, deterministic diffs, BOM-index sidecar, explain traces, DSSE-ready report metadata.[1](#sources)[2](#sources) | CLI prints human-readable tables and supports JSON/SARIF outputs for Snyk Open Source/Snyk Code; results originate from cloud analysis, not deterministic SBOM fragments.[s3](#snyk-sources) | | Evidence & outputs | CycloneDX JSON/Protobuf, SPDX 3.0.1, deterministic diffs, BOM-index sidecar, explain traces, DSSE-ready report metadata.[1](#sources)[2](#sources) | CLI prints human-readable tables and supports JSON/SARIF outputs for Snyk Open Source/Snyk Code; results originate from cloud analysis, not deterministic SBOM fragments.[s3](#snyk-sources) |
| Attestation & supply chain | DSSE signing via Signer Attestor Rekor v2, OpenVEX-first modelling, policy overlays, provenance digests.[1](#sources) | No DSSE/attestation workflow; remediation guidance and monitors live in Snyk SaaS.[s2](#snyk-sources) | | Attestation & supply chain | DSSE signing via Signer Attestor Rekor v2, OpenVEX-first modelling, policy overlays, provenance digests.[1](#sources) | No DSSE/attestation workflow; remediation guidance and monitors live in Snyk SaaS.[s2](#snyk-sources) |

20
docs/benchmarks/scanner-feature-comparison-trivy.md
View File

@@ -2,6 +2,24 @@
_Reference snapshot: Trivy commit `012f3d75359e019df1eb2602460146d43cb59715`, cloned 2025-11-02._ _Reference snapshot: Trivy commit `012f3d75359e019df1eb2602460146d43cb59715`, cloned 2025-11-02._
## Verification Metadata
| Field | Value |
|-------|-------|
| **Last Updated** | 2025-12-15 |
| **Last Verified** | 2025-12-14 |
| **Next Review** | 2026-03-14 |
| **Claims Index** | [`docs/market/claims-citation-index.md`](../market/claims-citation-index.md) |
| **Claim IDs** | COMP-TRIVY-001, COMP-TRIVY-002, COMP-TRIVY-003 |
| **Verification Method** | Source code audit (OSS), documentation review, feature testing |
**Confidence Levels:**
- **High (80-100%)**: Verified against source code or authoritative documentation
- **Medium (50-80%)**: Based on documentation or limited testing; needs deeper verification
- **Low (<50%)**: Unverified or based on indirect evidence; requires validation
---
## TL;DR ## TL;DR
- StellaOps Scanner stays focused on deterministic, tenant-scoped SBOM production with signed evidence, policy hand-offs, and Surface primitives that keep offline deployments first-class.[1](#sources) - StellaOps Scanner stays focused on deterministic, tenant-scoped SBOM production with signed evidence, policy hand-offs, and Surface primitives that keep offline deployments first-class.[1](#sources)
- Trivy delivers broad, single-binary coverage (images, filesystems, repos, VMs, Kubernetes, SBOM input) with multiple scanners (vuln, misconfig, secret, license) and a rich plugin ecosystem, but it leaves provenance, signing, and multi-tenant controls to downstream tooling.[8](#sources) - Trivy delivers broad, single-binary coverage (images, filesystems, repos, VMs, Kubernetes, SBOM input) with multiple scanners (vuln, misconfig, secret, license) and a rich plugin ecosystem, but it leaves provenance, signing, and multi-tenant controls to downstream tooling.[8](#sources)
@@ -11,7 +29,7 @@ _Reference snapshot: Trivy commit `012f3d75359e019df1eb2602460146d43cb59715`, cl
| Dimension | StellaOps Scanner | Trivy | | Dimension | StellaOps Scanner | Trivy |
| --- | --- | --- | | --- | --- | --- |
| Architecture & deployment | WebService + Worker services with queue abstraction (Redis Streams/NATS), RustFS/S3 artifact store, Mongo catalog, Authority-issued DPoP tokens, Surface.* libraries for env/fs/secrets, restart-only analyzer plugins.[1](#sources)[3](#sources)[4](#sources)[5](#sources) | Single Go binary CLI with optional server that centralises vulnerability DB updates; client/server mode streams scan queries while misconfig/secret scanning stays client-side; relies on local cache directories.[8](#sources)[15](#sources) | | Architecture & deployment | WebService + Worker services with queue abstraction (Redis Streams/NATS), RustFS/S3 artifact store, PostgreSQL catalog, Authority-issued DPoP tokens, Surface.* libraries for env/fs/secrets, restart-only analyzer plugins.[1](#sources)[3](#sources)[4](#sources)[5](#sources) | Single Go binary CLI with optional server that centralises vulnerability DB updates; client/server mode streams scan queries while misconfig/secret scanning stays client-side; relies on local cache directories.[8](#sources)[15](#sources) |
| Scan targets & coverage | Container images & filesystem snapshots; analyser families:<br>• OS: APK, DPKG, RPM with layer fragments.<br>• Languages: Java, Node, Python, Go, .NET, Rust (installed metadata only).<br>• Native: ELF today (PE/Mach-O M2 roadmap).<br>• EntryTrace usage graph for runtime focus.<br>Outputs paired inventory/usage SBOMs plus BOM-index sidecar; no direct repo/VM/K8s scanning.[1](#sources) | Container images, rootfs, local filesystems, git repositories, VM images, Kubernetes clusters, and standalone SBOMs. Language portfolio spans Ruby, Python, PHP, Node.js, .NET, Java, Go, Rust, C/C++, Elixir, Dart, Swift, Julia across pre/post-build contexts. OS coverage includes Alpine, RHEL/Alma/Rocky, Debian/Ubuntu, SUSE, Amazon, Bottlerocket, etc. Secret and misconfiguration scanners run alongside vulnerability analysis.[8](#sources)[9](#sources)[10](#sources)[18](#sources)[19](#sources) | | Scan targets & coverage | Container images & filesystem snapshots; analyser families:<br>• OS: APK, DPKG, RPM with layer fragments.<br>• Languages: Java, Node, Python, Go, .NET, Rust (installed metadata only).<br>• Native: ELF today (PE/Mach-O M2 roadmap).<br>• EntryTrace usage graph for runtime focus.<br>Outputs paired inventory/usage SBOMs plus BOM-index sidecar; no direct repo/VM/K8s scanning.[1](#sources) | Container images, rootfs, local filesystems, git repositories, VM images, Kubernetes clusters, and standalone SBOMs. Language portfolio spans Ruby, Python, PHP, Node.js, .NET, Java, Go, Rust, C/C++, Elixir, Dart, Swift, Julia across pre/post-build contexts. OS coverage includes Alpine, RHEL/Alma/Rocky, Debian/Ubuntu, SUSE, Amazon, Bottlerocket, etc. Secret and misconfiguration scanners run alongside vulnerability analysis.[8](#sources)[9](#sources)[10](#sources)[18](#sources)[19](#sources) |
| Evidence & outputs | CycloneDX (JSON + protobuf) and SPDX 3.0.1 exports, three-way diffs, DSSE-ready report metadata, BOM-index sidecar, deterministic manifests, explain traces for policy consumers.[1](#sources)[2](#sources) | Human-readable, JSON, CycloneDX, SPDX outputs; can both generate SBOMs and rescan existing SBOM artefacts; no built-in DSSE or attestation pipeline documented—signing left to external workflows.[8](#sources)[10](#sources) | | Evidence & outputs | CycloneDX (JSON + protobuf) and SPDX 3.0.1 exports, three-way diffs, DSSE-ready report metadata, BOM-index sidecar, deterministic manifests, explain traces for policy consumers.[1](#sources)[2](#sources) | Human-readable, JSON, CycloneDX, SPDX outputs; can both generate SBOMs and rescan existing SBOM artefacts; no built-in DSSE or attestation pipeline documented—signing left to external workflows.[8](#sources)[10](#sources) |
| Attestation & supply chain | DSSE signing via Signer → Attestor → Rekor v2, OpenVEX-first modelling, lattice logic for exploitability, provenance-bound digests, optional Rekor transparency, policy overlays.[1](#sources) | Experimental VEX repository consumption (`--vex repo`) pulling statements from VEX Hub or custom feeds; relies on external OCI registries for DB artefacts, but does not ship an attestation/signing workflow.[11](#sources)[14](#sources) | | Attestation & supply chain | DSSE signing via Signer → Attestor → Rekor v2, OpenVEX-first modelling, lattice logic for exploitability, provenance-bound digests, optional Rekor transparency, policy overlays.[1](#sources) | Experimental VEX repository consumption (`--vex repo`) pulling statements from VEX Hub or custom feeds; relies on external OCI registries for DB artefacts, but does not ship an attestation/signing workflow.[11](#sources)[14](#sources) |

150
docs/benchmarks/smart-diff-wii.md Normal file
View File

@@ -0,0 +1,150 @@
# Smart-Diff Weighted Impact Index (WII)
**Source Advisory:** `docs/product-advisories/unprocessed/16-Dec-2025 - SmartDiff Meets CallStack Reachability.md`
**Status:** Processed 2025-12-17
## Overview
The Weighted Impact Index (WII) is a composite score (0-100) that combines Smart-Diff semantic analysis with call-stack reachability to measure the runtime risk of code changes. It proves not just "what changed" but "how risky the change is in reachable code."
## Core Concepts
### Inputs
1. **Smart-Diff Output** - Semantic differences between artifact states
2. **Call Graph** - Symbol nodes with call edges
3. **Entrypoints** - HTTP routes, jobs, message handlers
4. **Runtime Heat** - pprof, APM, or eBPF execution frequency data
5. **Advisory Data** - CVSS v4, EPSS v4 scores
### WII Scoring Model
The WII uses 8 weighted features per diff unit:
| Feature | Weight | Description |
|---------|--------|-------------|
| `Δreach_len` | 0.25 | Change in shortest reachable path length |
| `Δlib_depth` | 0.10 | Change in library call depth |
| `exposure` | 0.15 | Public/external-facing API |
| `privilege` | 0.15 | Path crosses privileged sinks |
| `hot_path` | 0.15 | Frequently executed (runtime evidence) |
| `cvss_v4` | 0.10 | Normalized CVSS v4 severity |
| `epss_v4` | 0.10 | Exploit probability |
| `guard_coverage` | -0.10 | Sanitizers/validations reduce score |
### Determinism Bonus
When `reachability == true` AND (`cvss_v4 > 0.7` OR `epss_v4 > 0.5`), add +5 bonus for "evidence-linked determinism."
### Formula
```
WII = clamp(0, 1, Σ(w_i × feature_i_normalized)) × 100
```
## Data Structures
### DiffUnit
```json
{
"unitId": "pkg:npm/lodash@4.17.21#function:merge",
"change": "modified",
"before": {"hash": "sha256:abc...", "attrs": {}},
"after": {"hash": "sha256:def...", "attrs": {}},
"features": {
"reachable": true,
"reachLen": 3,
"libDepth": 2,
"exposure": true,
"privilege": false,
"hotPath": true,
"cvssV4": 0.75,
"epssV4": 0.45,
"guardCoverage": false
},
"wii": 68
}
```
### Artifact-Level WII
Two metrics for artifact-level impact:
- `max(WII_unit)` - Spike impact (single highest risk change)
- `p95(WII_unit)` - Broad impact (distribution of risk)
## DSSE Attestation
The WII is emitted as a DSSE-signed attestation:
```json
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [{"name": "ghcr.io/acme/app:1.9.3", "digest": {"sha256": "..."}}],
"predicateType": "https://stella-ops.org/attestations/smart-diff-wii@v1",
"predicate": {
"artifactBefore": {"digest": {"sha256": "..."}},
"artifactAfter": {"digest": {"sha256": "..."}},
"evidence": {
"sbomBefore": {"digest": {"sha256": "..."}},
"sbomAfter": {"digest": {"sha256": "..."}},
"callGraph": {"digest": {"sha256": "..."}},
"runtimeHeat": {"optional": true, "digest": {"sha256": "..."}}
},
"units": [...],
"aggregateWII": {
"max": 85,
"p95": 62,
"mean": 45
}
}
}
```
## Pipeline Integration
1. **Collect** - Build call graph, import SBOMs, CVE/EPSS data
2. **Diff** - Run Smart-Diff to generate `DiffUnit[]`
3. **Enrich** - Query reachability engine per unit
4. **Score** - Compute per-unit and aggregate WII
5. **Attest** - Emit DSSE statement with evidence URIs
6. **Store** - Proof-Market Ledger (Rekor) + PostgreSQL
## Use Cases
### CI/CD Gates
```yaml
# .github/workflows/security.yml
- name: Smart-Diff WII Check
run: |
stellaops smart-diff \
--base ${{ env.BASE_IMAGE }} \
--target ${{ env.TARGET_IMAGE }} \
--wii-threshold 70 \
--fail-on-threshold
```
### Risk Prioritization
Sort changes by WII for review prioritization:
```bash
stellaops smart-diff show \
--sort wii \
--format table
```
### Attestation Verification
```bash
stellaops verify-attestation \
--input smart-diff-wii.json \
--predicate-type smart-diff-wii@v1
```
## Related Documentation
- [Smart-Diff CLI Reference](../cli/smart-diff-cli.md)
- [Reachability Analysis](./reachability-analysis.md)
- [DSSE Attestation Format](../api/dsse-format.md)

653
docs/benchmarks/submission-guide.md Normal file
View File

@@ -0,0 +1,653 @@
# Benchmark Submission Guide
**Last Updated:** 2025-12-14
**Next Review:** 2026-03-14
---
## Overview
StellaOps publishes benchmarks for:
- **Reachability Analysis** - Accuracy of static and runtime path detection
- **SBOM Completeness** - Component detection and version accuracy
- **Vulnerability Detection** - Precision, recall, and F1 scores
- **Scan Performance** - Time, memory, and CPU metrics
- **Determinism** - Reproducibility of scan outputs
This guide explains how to reproduce, validate, and submit benchmark results.
---
## 1. PREREQUISITES
### 1.1 System Requirements
| Requirement | Minimum | Recommended |
|-------------|---------|-------------|
| CPU | 4 cores | 8 cores |
| Memory | 8 GB | 16 GB |
| Storage | 50 GB SSD | 100 GB NVMe |
| OS | Ubuntu 22.04 LTS | Ubuntu 22.04 LTS |
| Docker | 24.x | 24.x |
| .NET | 10.0 | 10.0 |
### 1.2 Environment Setup
```bash
# Clone the repository
git clone https://git.stella-ops.org/stella-ops.org/git.stella-ops.org.git
cd git.stella-ops.org
# Install .NET 10 SDK
sudo apt-get update
sudo apt-get install -y dotnet-sdk-10.0
# Install Docker (if not present)
curl -fsSL https://get.docker.com | sh
# Install benchmark dependencies
sudo apt-get install -y \
jq \
b3sum \
hyperfine \
time
# Set determinism environment variables
export TZ=UTC
export LC_ALL=C
export STELLAOPS_DETERMINISM_SEED=42
export STELLAOPS_DETERMINISM_TIMESTAMP="2025-01-01T00:00:00Z"
```
### 1.3 Pull Reference Images
```bash
# Download standard benchmark images
make benchmark-pull-images
# Or manually:
docker pull alpine:3.19
docker pull debian:12-slim
docker pull ubuntu:22.04
docker pull node:20-alpine
docker pull python:3.12
docker pull mcr.microsoft.com/dotnet/aspnet:8.0
docker pull nginx:1.25
docker pull postgres:16-alpine
```
---
## 2. RUNNING BENCHMARKS
### 2.1 Full Benchmark Suite
```bash
# Run all benchmarks (takes ~30-60 minutes)
make benchmark-all
# Output: results/benchmark-all-$(date +%Y%m%d).json
```
### 2.2 Category-Specific Benchmarks
#### Reachability Benchmark
```bash
# Run reachability accuracy benchmarks
make benchmark-reachability
# With specific language filter
make benchmark-reachability LANG=csharp
# Output: results/reachability/benchmark-reachability-$(date +%Y%m%d).json
```
#### Performance Benchmark
```bash
# Run scan performance benchmarks
make benchmark-performance
# Single image
make benchmark-image IMAGE=alpine:3.19
# Output: results/performance/benchmark-performance-$(date +%Y%m%d).json
```
#### SBOM Benchmark
```bash
# Run SBOM completeness benchmarks
make benchmark-sbom
# Specific format
make benchmark-sbom FORMAT=cyclonedx
# Output: results/sbom/benchmark-sbom-$(date +%Y%m%d).json
```
#### Determinism Benchmark
```bash
# Run determinism verification
make benchmark-determinism
# Output: results/determinism/benchmark-determinism-$(date +%Y%m%d).json
```
### 2.3 CLI Benchmark Commands
```bash
# Performance timing with hyperfine (10 runs)
hyperfine --warmup 2 --runs 10 \
'stellaops scan --image alpine:3.19 --format json --output /dev/null'
# Memory profiling
/usr/bin/time -v stellaops scan --image alpine:3.19 --format json 2>&1 | \
grep "Maximum resident set size"
# CPU profiling (Linux)
perf stat stellaops scan --image alpine:3.19 --format json > /dev/null
# Determinism check (run twice, compare hashes)
stellaops scan --image alpine:3.19 --format json | sha256sum > run1.sha
stellaops scan --image alpine:3.19 --format json | sha256sum > run2.sha
diff run1.sha run2.sha && echo "DETERMINISTIC" || echo "NON-DETERMINISTIC"
```
---
## 3. OUTPUT FORMATS
### 3.1 Reachability Results Schema
```json
{
"benchmark": "reachability-v1",
"date": "2025-12-14T00:00:00Z",
"scanner_version": "1.3.0",
"scanner_commit": "abc123def",
"environment": {
"os": "ubuntu-22.04",
"arch": "amd64",
"cpu": "Intel Xeon E-2288G",
"memory_gb": 16
},
"summary": {
"total_samples": 200,
"precision": 0.92,
"recall": 0.87,
"f1": 0.894,
"false_positive_rate": 0.08,
"false_negative_rate": 0.13
},
"by_language": {
"java": {
"samples": 50,
"precision": 0.94,
"recall": 0.88,
"f1": 0.909,
"confusion_matrix": {
"tp": 44, "fp": 3, "tn": 2, "fn": 1
}
},
"csharp": {
"samples": 50,
"precision": 0.91,
"recall": 0.86,
"f1": 0.884,
"confusion_matrix": {
"tp": 43, "fp": 4, "tn": 2, "fn": 1
}
},
"typescript": {
"samples": 50,
"precision": 0.89,
"recall": 0.84,
"f1": 0.864,
"confusion_matrix": {
"tp": 42, "fp": 5, "tn": 2, "fn": 1
}
},
"python": {
"samples": 50,
"precision": 0.88,
"recall": 0.83,
"f1": 0.854,
"confusion_matrix": {
"tp": 41, "fp": 5, "tn": 3, "fn": 1
}
}
},
"ground_truth_ref": "datasets/reachability/v2025.12",
"raw_results_ref": "results/reachability/raw/2025-12-14/"
}
```
### 3.2 Performance Results Schema
```json
{
"benchmark": "performance-v1",
"date": "2025-12-14T00:00:00Z",
"scanner_version": "1.3.0",
"scanner_commit": "abc123def",
"environment": {
"os": "ubuntu-22.04",
"arch": "amd64",
"cpu": "Intel Xeon E-2288G",
"memory_gb": 16,
"storage": "nvme"
},
"images": [
{
"image": "alpine:3.19",
"size_mb": 7,
"components": 15,
"vulnerabilities": 5,
"runs": 10,
"cold_start": {
"p50_ms": 2800,
"p95_ms": 4200,
"mean_ms": 3100
},
"warm_cache": {
"p50_ms": 1500,
"p95_ms": 2100,
"mean_ms": 1650
},
"memory_peak_mb": 180,
"cpu_time_ms": 1200
},
{
"image": "python:3.12",
"size_mb": 1024,
"components": 300,
"vulnerabilities": 150,
"runs": 10,
"cold_start": {
"p50_ms": 32000,
"p95_ms": 48000,
"mean_ms": 35000
},
"warm_cache": {
"p50_ms": 18000,
"p95_ms": 25000,
"mean_ms": 19500
},
"memory_peak_mb": 1100,
"cpu_time_ms": 28000
}
],
"aggregated": {
"total_images": 8,
"total_runs": 80,
"avg_time_per_mb_ms": 35,
"avg_memory_per_component_kb": 400
}
}
```
### 3.3 SBOM Results Schema
```json
{
"benchmark": "sbom-v1",
"date": "2025-12-14T00:00:00Z",
"scanner_version": "1.3.0",
"summary": {
"total_images": 8,
"component_recall": 0.98,
"component_precision": 0.995,
"version_accuracy": 0.96
},
"by_ecosystem": {
"apk": {
"ground_truth_components": 100,
"detected_components": 99,
"correct_versions": 96,
"recall": 0.99,
"precision": 0.99,
"version_accuracy": 0.96
},
"npm": {
"ground_truth_components": 500,
"detected_components": 492,
"correct_versions": 475,
"recall": 0.984,
"precision": 0.998,
"version_accuracy": 0.965
}
},
"formats_tested": ["cyclonedx-1.6", "spdx-3.0.1"]
}
```
### 3.4 Determinism Results Schema
```json
{
"benchmark": "determinism-v1",
"date": "2025-12-14T00:00:00Z",
"scanner_version": "1.3.0",
"summary": {
"total_runs": 100,
"bitwise_identical": 100,
"bitwise_fidelity": 1.0,
"semantic_identical": 100,
"semantic_fidelity": 1.0
},
"by_image": {
"alpine:3.19": {
"runs": 20,
"bitwise_identical": 20,
"output_hash": "sha256:abc123..."
},
"python:3.12": {
"runs": 20,
"bitwise_identical": 20,
"output_hash": "sha256:def456..."
}
},
"seed": 42,
"timestamp_frozen": "2025-01-01T00:00:00Z"
}
```
---
## 4. SUBMISSION PROCESS
### 4.1 Internal Submission (StellaOps Team)
Benchmark results are automatically collected by CI:
```yaml
# .gitea/workflows/weekly-benchmark.yml triggers:
# - Weekly benchmark runs
# - Results stored in internal dashboard
# - Regression detection against baselines
```
Manual submission:
```bash
# Upload to internal dashboard
make benchmark-submit
# Or via CLI
stellaops benchmark submit \
--file results/benchmark-all-20251214.json \
--dashboard internal
```
### 4.2 External Validation Submission
Third parties can validate and submit benchmark results:
#### Step 1: Fork and Clone
```bash
# Fork the benchmark repository
# https://git.stella-ops.org/stella-ops.org/benchmarks
git clone https://git.stella-ops.org/<your-org>/benchmarks.git
cd benchmarks
```
#### Step 2: Run Benchmarks
```bash
# With StellaOps scanner
make benchmark-all SCANNER=stellaops
# Or with your own tool for comparison
make benchmark-all SCANNER=your-tool
```
#### Step 3: Prepare Submission
```bash
# Results directory structure
mkdir -p submissions/<your-org>/<date>
# Copy results
cp results/*.json submissions/<your-org>/<date>/
# Add reproduction README
cat > submissions/<your-org>/<date>/README.md <<EOF
# Benchmark Results: <Your Org>
**Date:** $(date -u +%Y-%m-%d)
**Scanner:** <tool-name>
**Version:** <version>
## Environment
- OS: <os>
- CPU: <cpu>
- Memory: <memory>
## Reproduction Steps
<steps>
## Notes
<any observations>
EOF
```
#### Step 4: Submit Pull Request
```bash
git checkout -b benchmark-results-$(date +%Y%m%d)
git add submissions/
git commit -m "Add benchmark results from <your-org> $(date +%Y-%m-%d)"
git push origin benchmark-results-$(date +%Y%m%d)
# Create PR via web interface or gh CLI
gh pr create --title "Benchmark: <your-org> $(date +%Y-%m-%d)" \
--body "Benchmark results for external validation"
```
### 4.3 Submission Review Process
| Step | Action | Timeline |
|------|--------|----------|
| 1 | PR submitted | Day 0 |
| 2 | Automated validation runs | Day 0 (CI) |
| 3 | Maintainer review | Day 1-3 |
| 4 | Results published (if valid) | Day 3-5 |
| 5 | Dashboard updated | Day 5 |
---
## 5. BENCHMARK CATEGORIES
### 5.1 Reachability Benchmark
**Purpose:** Measure accuracy of static and runtime reachability analysis.
**Ground Truth Source:** `datasets/reachability/`
**Test Cases:**
- 50+ samples per language (Java, C#, TypeScript, Python, Go)
- Known-reachable vulnerable paths
- Known-unreachable vulnerable code
- Runtime-only reachable code
**Scoring:**
```
Precision = TP / (TP + FP)
Recall = TP / (TP + FN)
F1 = 2 * (Precision * Recall) / (Precision + Recall)
```
**Targets:**
| Metric | Target | Blocking |
|--------|--------|----------|
| Precision | >= 90% | >= 85% |
| Recall | >= 85% | >= 80% |
| F1 | >= 87% | >= 82% |
### 5.2 Performance Benchmark
**Purpose:** Measure scan time, memory usage, and CPU utilization.
**Reference Images:** See [Performance Baselines](performance-baselines.md)
**Metrics:**
- P50/P95 scan time (cold and warm)
- Peak memory usage
- CPU time
- Throughput (images/minute)
**Targets:**
| Image Category | P50 Time | P95 Time | Max Memory |
|----------------|----------|----------|------------|
| Minimal (<100MB) | < 5s | < 10s | < 256MB |
| Standard (100-500MB) | < 15s | < 30s | < 512MB |
| Large (500MB-2GB) | < 45s | < 90s | < 1.5GB |
### 5.3 SBOM Benchmark
**Purpose:** Measure component detection completeness and accuracy.
**Ground Truth Source:** Manual SBOM audits of reference images.
**Metrics:**
- Component recall (found / total)
- Component precision (real / reported)
- Version accuracy (correct / total)
**Targets:**
| Metric | Target |
|--------|--------|
| Component Recall | >= 98% |
| Component Precision | >= 99% |
| Version Accuracy | >= 95% |
### 5.4 Vulnerability Detection Benchmark
**Purpose:** Measure CVE detection accuracy against known-vulnerable images.
**Ground Truth Source:** `datasets/vulns/` curated CVE lists.
**Metrics:**
- True positive rate
- False positive rate
- False negative rate
- Precision/Recall/F1
**Targets:**
| Metric | Target |
|--------|--------|
| Precision | >= 95% |
| Recall | >= 90% |
| F1 | >= 92% |
### 5.5 Determinism Benchmark
**Purpose:** Verify reproducible scan outputs.
**Methodology:**
1. Run same scan N times (default: 20)
2. Compare output hashes
3. Calculate bitwise fidelity
**Targets:**
| Metric | Target |
|--------|--------|
| Bitwise Fidelity | 100% |
| Semantic Fidelity | 100% |
---
## 6. COMPARING RESULTS
### 6.1 Against Baselines
```bash
# Compare current run against stored baseline
stellaops benchmark compare \
--baseline results/baseline/2025-Q4.json \
--current results/benchmark-all-20251214.json \
--threshold-p50 0.15 \
--threshold-precision 0.02 \
--fail-on-regression
# Output:
# Performance: PASS (P50 within 15% of baseline)
# Accuracy: PASS (Precision within 2% of baseline)
# Determinism: PASS (100% fidelity)
```
### 6.2 Against Other Tools
```bash
# Generate comparison report
stellaops benchmark compare-tools \
--stellaops results/stellaops/2025-12-14.json \
--trivy results/trivy/2025-12-14.json \
--grype results/grype/2025-12-14.json \
--output comparison-report.html
```
### 6.3 Historical Trends
```bash
# Generate trend report (last 12 months)
stellaops benchmark trend \
--period 12m \
--metrics precision,recall,p50_time \
--output trend-report.html
```
---
## 7. TROUBLESHOOTING
### 7.1 Common Issues
| Issue | Cause | Resolution |
|-------|-------|------------|
| Non-deterministic output | Locale not set | Set `LC_ALL=C` |
| Memory OOM | Large image | Increase memory limit |
| Slow performance | Cold cache | Pre-pull images |
| Missing components | Ecosystem not supported | Check supported ecosystems |
### 7.2 Debug Mode
```bash
# Enable verbose benchmark logging
make benchmark-all DEBUG=1
# Enable timing breakdown
export STELLAOPS_BENCHMARK_TIMING=1
make benchmark-performance
```
### 7.3 Validation Failures
```bash
# Check result schema validity
stellaops benchmark validate --file results/benchmark-all.json
# Check against ground truth
stellaops benchmark validate-ground-truth \
--results results/reachability.json \
--ground-truth datasets/reachability/v2025.12
```
---
## 8. REFERENCES
- [Performance Baselines](performance-baselines.md)
- [Accuracy Metrics Framework](accuracy-metrics-framework.md)
- [Offline Parity Verification](../airgap/offline-parity-verification.md)
- [Determinism CI Harness](../modules/scanner/design/determinism-ci-harness.md)
- [Ground Truth Datasets](../datasets/README.md)
---
**Document Version**: 1.0
**Target Platform**: .NET 10, PostgreSQL >=16

127
docs/benchmarks/tiered-precision-curves.md Normal file
View File

@@ -0,0 +1,127 @@
# Tiered Precision Curves for Scanner Accuracy
**Advisory:** 16-Dec-2025 - Measuring Progress with Tiered Precision Curves
**Status:** Processing
**Related Sprints:** SPRINT_3500_0003_0001 (Ground-Truth Corpus)
## Executive Summary
This advisory introduces a tiered approach to measuring scanner accuracy that prevents metric gaming. By tracking precision/recall separately for three evidence tiers (Imported, Executed, Tainted→Sink), we ensure improvements in one tier don't hide regressions in another.
## Key Concepts
### Evidence Tiers
| Tier | Description | Risk Level | Typical Volume |
|------|-------------|------------|----------------|
| **Imported** | Vuln exists in dependency | Lowest | High |
| **Executed** | Code/deps actually run | Medium | Medium |
| **Tainted→Sink** | User data reaches sink | Highest | Low |
### Tier Precedence
Highest tier wins when a finding has multiple evidence types:
1. `tainted_sink` (highest)
2. `executed`
3. `imported`
## Implementation Components
### 1. Evidence Schema (`eval` schema)
```sql
-- Ground truth samples
eval.sample(sample_id, name, repo_path, commit_sha, language, scenario, entrypoints)
-- Expected findings
eval.expected_finding(expected_id, sample_id, vuln_key, tier, rule_key, sink_class)
-- Evaluation runs
eval.run(eval_run_id, scanner_version, rules_hash, concelier_snapshot_hash)
-- Observed results
eval.observed_finding(observed_id, eval_run_id, sample_id, vuln_key, tier, score, rule_key, evidence)
-- Computed metrics
eval.metrics(eval_run_id, tier, op_point, precision, recall, f1, pr_auc, latency_p50_ms)
```
### 2. Scanner Worker Changes
Workers emit evidence primitives:
- `DependencyEvidence { purl, version, lockfile_path }`
- `ReachabilityEvidence { entrypoint, call_path[], confidence }`
- `TaintEvidence { source, sink, sanitizers[], dataflow_path[], confidence }`
### 3. Scanner WebService Changes
WebService performs tiering:
- Merge evidence for same `vuln_key`
- Run reachability/taint algorithms
- Assign `evidence_tier` deterministically
- Persist normalized findings
### 4. Evaluator CLI
New tool `StellaOps.Scanner.Evaluation.Cli`:
- `import-corpus` - Load samples and expected findings
- `run` - Trigger scans using replay manifest
- `compute` - Calculate per-tier PR curves
- `report` - Generate markdown artifacts
### 5. CI Gates
Fail builds when:
- PR-AUC(imported) drops > 2%
- PR-AUC(executed/tainted_sink) drops > 1%
- FP rate in `tainted_sink` > 5% at Recall ≥ 0.7
## Operating Points
| Tier | Target Recall | Purpose |
|------|--------------|---------|
| `imported` | ≥ 0.60 | Broad coverage |
| `executed` | ≥ 0.70 | Material risk |
| `tainted_sink` | ≥ 0.80 | Actionable findings |
## Integration with Existing Systems
### Concelier
- Stores advisory data, does not tier
- Tag advisories with sink classes when available
### Excititor (VEX)
- Include `tier` in VEX statements
- Allow policy per-tier thresholds
- Preserve pruning provenance
### Notify
- Gate alerts on tiered thresholds
- Page only on `tainted_sink` at operating point
### UI
- Show tier badge on findings
- Default sort: tainted_sink > executed > imported
- Display evidence summary (entrypoint, path length, sink class)
## Success Criteria
1. Can demonstrate release where overall precision stayed flat but tainted→sink PR-AUC improved
2. On-call noise reduced via tier-gated paging
3. TTFS p95 for tainted→sink within budget
## Related Documentation
- [Ground-Truth Corpus Sprint](../implplan/SPRINT_3500_0003_0001_ground_truth_corpus_ci_gates.md)
- [Scanner Architecture](../modules/scanner/architecture.md)
- [Reachability Analysis](./14-Dec-2025%20-%20Reachability%20Analysis%20Technical%20Reference.md)
## Overlap Analysis
This advisory **extends** the ground-truth corpus work (SPRINT_3500_0003_0001) with:
- Tiered precision tracking (new)
- Per-tier operating points (new)
- CI gates based on tier-specific AUC (enhancement)
- Integration with Notify for tier-gated alerts (new)
No contradictions with existing implementations found.

250
docs/ci/sarif-integration.md Normal file
View File

@@ -0,0 +1,250 @@
# SARIF Integration Guide
**Sprint:** SPRINT_3500_0004_0001
**Task:** SDIFF-BIN-032 - Documentation for SARIF integration
## Overview
StellaOps Scanner supports SARIF (Static Analysis Results Interchange Format) 2.1.0 output for seamless integration with CI/CD platforms including GitHub, GitLab, and Azure DevOps.
## Supported Platforms
| Platform | Integration Method | Native Support |
|----------|-------------------|----------------|
| GitHub Actions | Code Scanning API | ✅ Yes |
| GitLab CI | SAST Reports | ✅ Yes |
| Azure DevOps | SARIF Viewer Extension | ✅ Yes |
| Jenkins | SARIF Plugin | ✅ Yes |
| Other | File upload | ✅ Yes |
## Quick Start
### API Endpoint
```bash
# Get SARIF output for a scan
curl -H "Authorization: Bearer $TOKEN" \
"https://scanner.example.com/api/v1/smart-diff/scans/{scanId}/sarif"
# With pretty printing
curl -H "Authorization: Bearer $TOKEN" \
"https://scanner.example.com/api/v1/smart-diff/scans/{scanId}/sarif?pretty=true"
```
### CLI Usage
```bash
# Scan with SARIF output
stellaops scan image:tag --output-format sarif > results.sarif
# Smart-diff with SARIF output
stellaops smart-diff --base image:v1 --target image:v2 --output-format sarif
```
## SARIF Rule Definitions
StellaOps emits the following rule categories in SARIF output:
| Rule ID | Name | Description |
|---------|------|-------------|
| SDIFF001 | ReachabilityChange | Vulnerability reachability status changed |
| SDIFF002 | VexStatusFlip | VEX status changed (affected/not_affected/fixed) |
| SDIFF003 | HardeningRegression | Binary hardening flag regressed |
| SDIFF004 | IntelligenceSignal | EPSS/KEV status changed |
## GitHub Actions Integration
```yaml
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run StellaOps Scanner
run: |
stellaops scan ${{ github.repository }} \
--output-format sarif \
--output results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: stellaops
```
## GitLab CI Integration
```yaml
security_scan:
stage: test
image: stellaops/cli:latest
script:
- stellaops scan $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA --output-format sarif > gl-sast-report.sarif
artifacts:
reports:
sast: gl-sast-report.sarif
```
## Azure DevOps Integration
```yaml
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: Bash@3
displayName: 'Run StellaOps Scanner'
inputs:
targetType: 'inline'
script: |
stellaops scan $(containerImage) --output-format sarif > $(Build.ArtifactStagingDirectory)/results.sarif
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: '$(Build.ArtifactStagingDirectory)/results.sarif'
artifactName: 'security-results'
```
## SARIF Schema Details
### Result Levels
| SARIF Level | StellaOps Severity | Description |
|-------------|-------------------|-------------|
| `error` | Critical, High | Requires immediate attention |
| `warning` | Medium | Should be reviewed |
| `note` | Low, Info | For awareness |
### Result Kinds
| Kind | Meaning |
|------|---------|
| `fail` | Finding indicates a problem |
| `pass` | Check passed (for VEX suppressed) |
| `notApplicable` | Finding does not apply |
| `informational` | Advisory information |
### Location Information
SARIF results include:
- **Physical location**: File path and line numbers (when available)
- **Logical location**: Component PURL, function name
- **URI**: OCI artifact digest or SBOM reference
## Example SARIF Output
```json
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "StellaOps Scanner",
"version": "1.0.0",
"informationUri": "https://stellaops.io",
"rules": [
{
"id": "SDIFF001",
"name": "ReachabilityChange",
"shortDescription": {
"text": "Vulnerability reachability changed"
},
"defaultConfiguration": {
"level": "warning"
}
}
]
}
},
"results": [
{
"ruleId": "SDIFF001",
"level": "warning",
"message": {
"text": "CVE-2024-1234 became reachable in pkg:npm/lodash@4.17.20"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "package-lock.json"
}
},
"logicalLocations": [
{
"name": "pkg:npm/lodash@4.17.20",
"kind": "package"
}
]
}
],
"properties": {
"vulnerability": "CVE-2024-1234",
"tier": "executed",
"direction": "increased"
}
}
]
}
]
}
```
## Filtering Results
### By Tier
```bash
# Only tainted_sink findings
stellaops scan image:tag --output-format sarif --tier tainted_sink
# Executed and tainted_sink
stellaops scan image:tag --output-format sarif --tier executed,tainted_sink
```
### By Priority
```bash
# Only high priority changes
stellaops smart-diff --output-format sarif --min-priority 0.7
```
## Troubleshooting
### SARIF Validation Errors
If your CI platform rejects the SARIF output:
1. Validate against schema:
```bash
stellaops validate-sarif results.sarif
```
2. Check for required fields:
- `$schema` must be present
- `version` must be `"2.1.0"`
- Each result must have `ruleId` and `message`
### Empty Results
If SARIF contains no results:
- Check scan completed successfully
- Verify image has vulnerability data
- Ensure feed snapshots are current
## Related Documentation
- [Smart-Diff Detection Rules](../modules/scanner/smart-diff-rules.md)
- [Scanner API Reference](../api/scanner-api.md)
- [CLI Reference](../09_API_CLI_REFERENCE.md)
- [Scoring Configuration](./scoring-configuration.md)

292
docs/ci/scoring-configuration.md Normal file
View File

@@ -0,0 +1,292 @@
# Smart-Diff Scoring Configuration Guide
**Sprint:** SPRINT_3500_0004_0001
**Task:** SDIFF-BIN-031 - Documentation for scoring configuration
## Overview
Smart-Diff uses configurable scoring weights to prioritize material risk changes. This guide explains how to customize scoring for your organization's risk appetite.
## Configuration Location
Smart-Diff scoring can be configured via:
1. **PolicyScoringConfig** - Integrated with policy engine
2. **SmartDiffScoringConfig** - Standalone configuration
3. **Environment variables** - Runtime overrides
4. **API** - Dynamic configuration
## Default Configuration
```json
{
"name": "default",
"version": "1.0",
"reachabilityFlipUpWeight": 1.0,
"reachabilityFlipDownWeight": 0.8,
"vexFlipToAffectedWeight": 0.9,
"vexFlipToNotAffectedWeight": 0.7,
"vexFlipToFixedWeight": 0.6,
"vexFlipToUnderInvestigationWeight": 0.3,
"rangeEntryWeight": 0.8,
"rangeExitWeight": 0.6,
"kevAddedWeight": 1.0,
"epssThreshold": 0.1,
"epssThresholdCrossWeight": 0.5,
"hardeningRegressionWeight": 0.7,
"hardeningImprovementWeight": 0.3,
"hardeningRegressionThreshold": 0.1
}
```
## Weight Categories
### Reachability Weights (R1)
Controls scoring for reachability status changes.
| Parameter | Default | Description |
|-----------|---------|-------------|
| `reachabilityFlipUpWeight` | 1.0 | Unreachable → Reachable (risk increase) |
| `reachabilityFlipDownWeight` | 0.8 | Reachable → Unreachable (risk decrease) |
| `useLatticeConfidence` | true | Factor in reachability confidence |
**Example scenarios:**
- Vulnerability becomes reachable after code refactoring → weight = 1.0
- Dependency removed, vulnerability no longer reachable → weight = 0.8
### VEX Status Weights (R2)
Controls scoring for VEX statement changes.
| Parameter | Default | Description |
|-----------|---------|-------------|
| `vexFlipToAffectedWeight` | 0.9 | Status changed to "affected" |
| `vexFlipToNotAffectedWeight` | 0.7 | Status changed to "not_affected" |
| `vexFlipToFixedWeight` | 0.6 | Status changed to "fixed" |
| `vexFlipToUnderInvestigationWeight` | 0.3 | Status changed to "under_investigation" |
**Rationale:**
- "affected" is highest weight as it confirms exploitability
- "fixed" is lower as it indicates remediation
- "under_investigation" is lowest as status is uncertain
### Version Range Weights (R3)
Controls scoring for affected version range changes.
| Parameter | Default | Description |
|-----------|---------|-------------|
| `rangeEntryWeight` | 0.8 | Version entered affected range |
| `rangeExitWeight` | 0.6 | Version exited affected range |
### Intelligence Signal Weights (R4)
Controls scoring for external intelligence changes.
| Parameter | Default | Description |
|-----------|---------|-------------|
| `kevAddedWeight` | 1.0 | Vulnerability added to CISA KEV |
| `epssThreshold` | 0.1 | EPSS score threshold for significance |
| `epssThresholdCrossWeight` | 0.5 | Weight when EPSS crosses threshold |
### Binary Hardening Weights (R5)
Controls scoring for binary hardening flag changes.
| Parameter | Default | Description |
|-----------|---------|-------------|
| `hardeningRegressionWeight` | 0.7 | Security flag disabled (e.g., NX removed) |
| `hardeningImprovementWeight` | 0.3 | Security flag enabled (e.g., PIE added) |
| `hardeningRegressionThreshold` | 0.1 | Minimum score drop to flag regression |
## Presets
### Default Preset
Balanced configuration suitable for most organizations.
```csharp
SmartDiffScoringConfig.Default
```
### Strict Preset
Higher weights for regressions, recommended for security-critical applications.
```csharp
SmartDiffScoringConfig.Strict
```
Configuration:
```json
{
"name": "strict",
"reachabilityFlipUpWeight": 1.2,
"vexFlipToAffectedWeight": 1.1,
"kevAddedWeight": 1.5,
"hardeningRegressionWeight": 1.0,
"hardeningRegressionThreshold": 0.05
}
```
### Lenient Preset
Lower weights for alerts, suitable for development/staging environments.
```json
{
"name": "lenient",
"reachabilityFlipUpWeight": 0.7,
"vexFlipToAffectedWeight": 0.6,
"kevAddedWeight": 0.8,
"hardeningRegressionWeight": 0.4,
"epssThreshold": 0.2
}
```
## Policy Integration
Smart-Diff scoring integrates with `PolicyScoringConfig`:
```csharp
var config = new PolicyScoringConfig(
Version: "1.0",
SeverityWeights: severityWeights,
QuietPenalty: 0.1,
WarnPenalty: 0.5,
IgnorePenalty: 0.0,
TrustOverrides: trustOverrides,
ReachabilityBuckets: reachabilityBuckets,
UnknownConfidence: unknownConfig,
SmartDiff: new SmartDiffPolicyScoringConfig(
ReachabilityFlipUpWeight: 1.0,
VexFlipToAffectedWeight: 0.9,
KevAddedWeight: 1.2
)
);
```
## Environment Variable Overrides
```bash
# Override reachability weights
export STELLAOPS_SMARTDIFF_REACHABILITY_FLIP_UP_WEIGHT=1.2
export STELLAOPS_SMARTDIFF_REACHABILITY_FLIP_DOWN_WEIGHT=0.7
# Override KEV weight
export STELLAOPS_SMARTDIFF_KEV_ADDED_WEIGHT=1.5
# Override hardening threshold
export STELLAOPS_SMARTDIFF_HARDENING_REGRESSION_THRESHOLD=0.05
```
## API Configuration
### Get Current Configuration
```bash
GET /api/v1/config/smart-diff/scoring
Response:
{
"name": "default",
"version": "1.0",
"weights": { ... }
}
```
### Update Configuration
```bash
PUT /api/v1/config/smart-diff/scoring
Content-Type: application/json
{
"reachabilityFlipUpWeight": 1.2,
"kevAddedWeight": 1.5
}
```
## Score Calculation Formula
The final priority score is calculated as:
```
priority_score = base_severity × Σ(change_weight × rule_match)
```
Where:
- `base_severity` is the CVSS/severity normalized to 0-1
- `change_weight` is the configured weight for the change type
- `rule_match` is 1 if the rule triggered, 0 otherwise
### Example Calculation
Given:
- CVE-2024-1234 with CVSS 7.5 (base_severity = 0.75)
- Became reachable (reachabilityFlipUpWeight = 1.0)
- Added to KEV (kevAddedWeight = 1.0)
```
priority_score = 0.75 × (1.0 + 1.0) = 1.5 → capped at 1.0
```
## Tuning Recommendations
### For CI/CD Pipelines
```json
{
"kevAddedWeight": 1.5,
"hardeningRegressionWeight": 1.2,
"epssThreshold": 0.05
}
```
Focus on blocking builds for known exploited vulnerabilities and hardening regressions.
### For Alert Fatigue Reduction
```json
{
"reachabilityFlipDownWeight": 0.3,
"vexFlipToNotAffectedWeight": 0.2,
"rangeExitWeight": 0.2
}
```
Lower weights for positive changes to reduce noise.
### For Compliance Focus
```json
{
"kevAddedWeight": 2.0,
"vexFlipToAffectedWeight": 1.2,
"hardeningRegressionThreshold": 0.02
}
```
Higher weights for regulatory-relevant changes.
## Monitoring and Metrics
Track scoring effectiveness with:
```sql
-- Average priority score by rule type
SELECT
change_type,
AVG(priority_score) as avg_score,
COUNT(*) as count
FROM smart_diff_changes
WHERE created_at > now() - interval '30 days'
GROUP BY change_type
ORDER BY avg_score DESC;
```
## Related Documentation
- [Smart-Diff Detection Rules](../modules/scanner/smart-diff-rules.md)
- [Policy Engine Configuration](../modules/policy/architecture.md)
- [SARIF Integration](./sarif-integration.md)

233
docs/cli/keyboard-shortcuts.md Normal file
View File

@@ -0,0 +1,233 @@
# Keyboard Shortcuts Reference
**Sprint:** SPRINT_3600_0001_0001
**Task:** TRI-MASTER-0010 - Document keyboard shortcuts in user guide
## Overview
StellaOps supports keyboard shortcuts for efficient triage and navigation. Shortcuts are available in the Web UI and CLI interactive modes.
## Triage View Shortcuts
### Navigation
| Key | Action | Context |
|-----|--------|---------|
| `j` / `↓` | Next finding | Finding list |
| `k` / `↑` | Previous finding | Finding list |
| `g g` | Go to first finding | Finding list |
| `G` | Go to last finding | Finding list |
| `Enter` | Open finding details | Finding list |
| `Esc` | Close panel / Cancel | Any |
### Decision Actions
| Key | Action | Context |
|-----|--------|---------|
| `a` | Mark as Affected | Finding selected |
| `n` | Mark as Not Affected | Finding selected |
| `w` | Mark as Won't Fix | Finding selected |
| `f` | Mark as False Positive | Finding selected |
| `u` | Undo last decision | Any |
| `Ctrl+z` | Undo | Any |
### Evidence & Context
| Key | Action | Context |
|-----|--------|---------|
| `e` | Toggle evidence panel | Finding selected |
| `g` | Toggle graph view | Finding selected |
| `c` | Show call stack | Finding selected |
| `v` | Show VEX status | Finding selected |
| `p` | Show provenance | Finding selected |
| `d` | Show diff | Finding selected |
### Search & Filter
| Key | Action | Context |
|-----|--------|---------|
| `/` | Open search | Global |
| `Ctrl+f` | Find in page | Global |
| `Ctrl+k` | Quick filter | Global |
| `x` | Clear filters | Filter active |
### View Controls
| Key | Action | Context |
|-----|--------|---------|
| `1` | Show all findings | View |
| `2` | Show untriaged only | View |
| `3` | Show affected only | View |
| `4` | Show not affected | View |
| `[` | Collapse all | List view |
| `]` | Expand all | List view |
| `Tab` | Next panel | Multi-panel |
| `Shift+Tab` | Previous panel | Multi-panel |
### Bulk Actions
| Key | Action | Context |
|-----|--------|---------|
| `Space` | Toggle selection | Finding |
| `Shift+j` | Select next | Selection mode |
| `Shift+k` | Select previous | Selection mode |
| `Ctrl+a` | Select all visible | Finding list |
| `Shift+a` | Bulk: Affected | Selection |
| `Shift+n` | Bulk: Not Affected | Selection |
## CLI Batch Mode Shortcuts
### Navigation
| Key | Action |
|-----|--------|
| `j` / `↓` | Next finding |
| `k` / `↑` | Previous finding |
| `Page Down` | Skip 10 forward |
| `Page Up` | Skip 10 back |
| `Home` | First finding |
| `End` | Last finding |
### Decisions
| Key | Action |
|-----|--------|
| `a` | Affected |
| `n` | Not affected |
| `w` | Won't fix |
| `f` | False positive |
| `s` | Skip (no decision) |
| `u` | Undo last |
### Information
| Key | Action |
|-----|--------|
| `e` | Show evidence |
| `i` | Show full info |
| `?` | Show help |
### Control
| Key | Action |
|-----|--------|
| `q` | Save and quit |
| `Q` | Quit without saving |
| `Ctrl+c` | Abort |
## Graph View Shortcuts
| Key | Action |
|-----|--------|
| `+` / `=` | Zoom in |
| `-` | Zoom out |
| `0` | Reset zoom |
| `Arrow keys` | Pan view |
| `f` | Fit to screen |
| `h` | Highlight path to root |
| `l` | Highlight dependents |
| `Enter` | Select node |
| `Esc` | Deselect |
## Dashboard Shortcuts
| Key | Action |
|-----|--------|
| `r` | Refresh data |
| `t` | Toggle sidebar |
| `m` | Open menu |
| `s` | Open settings |
| `?` | Show shortcuts |
## Scan View Shortcuts
| Key | Action |
|-----|--------|
| `j` / `k` | Navigate scans |
| `Enter` | Open scan details |
| `d` | Download report |
| `c` | Compare scans |
| `r` | Rescan |
## Configuration
### Enable/Disable Shortcuts
```yaml
# ~/.stellaops/ui.yaml
keyboard:
enabled: true
vim_mode: true # Use vim-style navigation
# Customize keys
custom:
next_finding: "j"
prev_finding: "k"
affected: "a"
not_affected: "n"
```
### CLI Configuration
```yaml
# ~/.stellaops/cli.yaml
interactive:
keyboard_enabled: true
confirm_quit: true
auto_save: true
```
### Web UI Settings
Access via **Settings → Keyboard Shortcuts**:
- Enable/disable shortcuts
- Customize key bindings
- Import/export configurations
## Accessibility
### Screen Reader Support
All keyboard shortcuts have equivalent menu actions:
- Use `Alt` to access menu bar
- Tab navigation for all controls
- ARIA labels for all actions
### Motion Preferences
When `prefers-reduced-motion` is set:
- Instant transitions replace animations
- Focus indicators remain visible longer
## Quick Reference Card
```
┌────────────────────────────────────────────┐
│ STELLAOPS KEYBOARD SHORTCUTS │
├────────────────────────────────────────────┤
│ NAVIGATION │ DECISIONS │
│ j/k Next/Prev │ a Affected │
│ g g First │ n Not Affected │
│ G Last │ w Won't Fix │
│ Enter Open │ f False Positive │
│ Esc Close │ u Undo │
├─────────────────────┼──────────────────────┤
│ EVIDENCE │ VIEW │
│ e Evidence panel │ 1 All findings │
│ g Graph view │ 2 Untriaged │
│ c Call stack │ 3 Affected │
│ v VEX status │ / Search │
├─────────────────────┼──────────────────────┤
│ BULK │ CONTROL │
│ Space Select │ q Save & quit │
│ Ctrl+a Select all │ ? Help │
│ Shift+a Bulk affect │ Ctrl+z Undo │
└─────────────────────┴──────────────────────┘
```
## Related Documentation
- [Triage CLI Reference](./triage-cli.md)
- [Web UI Guide](../15_UI_GUIDE.md)
- [Accessibility Guide](../accessibility.md)

284
docs/cli/smart-diff-cli.md Normal file
View File

@@ -0,0 +1,284 @@
# Smart-Diff CLI Reference
**Sprint:** SPRINT_3500_0001_0001
**Task:** SDIFF-MASTER-0008 - Update CLI documentation with smart-diff commands
## Overview
Smart-Diff analyzes changes between container image versions to identify material risk changes. It detects reachability shifts, VEX status changes, binary hardening regressions, and intelligence signal updates.
## Commands
### stellaops smart-diff
Compare two artifacts and report material risk changes.
```bash
stellaops smart-diff [OPTIONS]
```
#### Required Options
| Option | Description |
|--------|-------------|
| `--base <ARTIFACT>` | Base artifact (image digest, SBOM path, or purl) |
| `--target <ARTIFACT>` | Target artifact to compare against base |
#### Output Options
| Option | Description | Default |
|--------|-------------|---------|
| `--output <PATH>` | Output file path | stdout |
| `--output-format <FMT>` | Output format: `json`, `yaml`, `table`, `sarif` | `table` |
| `--output-dir <DIR>` | Output directory for bundle format | - |
| `--include-proofs` | Include proof ledger in output | `false` |
| `--include-evidence` | Include raw evidence data | `false` |
| `--pretty` | Pretty-print JSON/YAML output | `false` |
#### Analysis Options
| Option | Description | Default |
|--------|-------------|---------|
| `--rules <PATH>` | Custom detection rules file | built-in |
| `--config <PATH>` | Scoring configuration file | default config |
| `--tier <TIER>` | Filter by evidence tier: `imported`, `executed`, `tainted_sink` | all |
| `--min-priority <N>` | Minimum priority score (0-1) | 0.0 |
| `--include-unchanged` | Include unchanged findings | `false` |
#### Feed Options
| Option | Description | Default |
|--------|-------------|---------|
| `--feed-snapshot <HASH>` | Use specific feed snapshot | latest |
| `--offline` | Run in offline mode | `false` |
| `--feed-dir <PATH>` | Local feed directory | - |
### Examples
#### Basic Comparison
```bash
# Compare two image versions
stellaops smart-diff \
--base registry.example.com/app:v1.0.0 \
--target registry.example.com/app:v1.1.0
# Output:
# Smart-Diff Report: app:v1.0.0 → app:v1.1.0
# ═══════════════════════════════════════════
#
# Summary:
# Total Changes: 5
# Risk Increased: 2
# Risk Decreased: 3
# Hardening Regressions: 1
#
# Material Changes:
# ┌─────────────────┬──────────────────┬──────────┬──────────┐
# │ Vulnerability │ Component │ Change │ Priority │
# ├─────────────────┼──────────────────┼──────────┼──────────┤
# │ CVE-2024-1234 │ lodash@4.17.20 │ +reach │ 0.85 │
# │ CVE-2024-5678 │ requests@2.28.0 │ +kev │ 0.95 │
# │ CVE-2024-9999 │ urllib3@1.26.0 │ -reach │ 0.60 │
# └─────────────────┴──────────────────┴──────────┴──────────┘
```
#### SARIF Output for CI/CD
```bash
# Generate SARIF for GitHub Actions
stellaops smart-diff \
--base app:v1.0.0 \
--target app:v1.1.0 \
--output-format sarif \
--output results.sarif
```
#### Filtered Analysis
```bash
# Only show high-priority changes
stellaops smart-diff \
--base app:v1 \
--target app:v2 \
--min-priority 0.7 \
--output-format json
# Only tainted_sink tier findings
stellaops smart-diff \
--base app:v1 \
--target app:v2 \
--tier tainted_sink
```
#### Export with Proofs
```bash
# Full export with proof bundle
stellaops smart-diff \
--base app:v1 \
--target app:v2 \
--output-dir ./smart-diff-export \
--include-proofs \
--include-evidence
# Creates:
# ./smart-diff-export/
# ├── manifest.json
# ├── diff-results.json
# ├── proofs/
# └── evidence/
```
#### Offline Mode
```bash
# Use local feeds only
STELLAOPS_OFFLINE=true stellaops smart-diff \
--base sbom-v1.json \
--target sbom-v2.json \
--feed-dir /opt/stellaops/feeds
```
### stellaops smart-diff show
Display results from a saved smart-diff report.
```bash
stellaops smart-diff show [OPTIONS] <INPUT>
```
#### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--format <FMT>` | Output format: `table`, `json`, `yaml` | `table` |
| `--filter <EXPR>` | Filter expression (e.g., `priority>=0.8`) | - |
| `--sort <FIELD>` | Sort field: `priority`, `vuln`, `component` | `priority` |
| `--limit <N>` | Maximum results to show | all |
#### Example
```bash
# Show top 5 highest priority changes
stellaops smart-diff show \
--sort priority \
--limit 5 \
smart-diff-report.json
```
### stellaops smart-diff verify
Verify a smart-diff report's proof bundle.
```bash
stellaops smart-diff verify [OPTIONS] <INPUT>
```
#### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--proof-bundle <PATH>` | Proof bundle path | inferred |
| `--public-key <PATH>` | Public key for signature verification | - |
| `--strict` | Fail on any warning | `false` |
#### Example
```bash
# Verify report integrity
stellaops smart-diff verify \
--proof-bundle ./proofs \
--public-key /path/to/key.pub \
smart-diff-report.json
# Output:
# ✓ Manifest hash verified: sha256:abc123...
# ✓ Proof ledger valid (45 nodes)
# ✓ Root hash matches
# ✓ Signature valid (key: CN=scanner.stellaops.io)
```
### stellaops smart-diff replay
Re-run smart-diff with different feed or config.
```bash
stellaops smart-diff replay [OPTIONS] <SCAN-ID>
```
#### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--feed-snapshot <HASH>` | Use specific feed snapshot | latest |
| `--config <PATH>` | Different scoring config | original |
| `--dry-run` | Preview without saving | `false` |
#### Example
```bash
# Replay with new feed
stellaops smart-diff replay \
--feed-snapshot sha256:abc123... \
scan-12345678
# Preview impact of config change
stellaops smart-diff replay \
--config strict-scoring.json \
--dry-run \
scan-12345678
```
## Exit Codes
| Code | Meaning |
|------|---------|
| 0 | Success, no material changes |
| 1 | Success, material changes found |
| 2 | Success, hardening regressions found |
| 3 | Success, KEV additions found |
| 10 | Invalid arguments |
| 11 | Artifact not found |
| 12 | Feed not available |
| 20 | Verification failed |
| 99 | Internal error |
## Environment Variables
| Variable | Description |
|----------|-------------|
| `STELLAOPS_OFFLINE` | Run in offline mode |
| `STELLAOPS_FEED_DIR` | Local feed directory |
| `STELLAOPS_CONFIG` | Default config file |
| `STELLAOPS_OUTPUT_FORMAT` | Default output format |
## Configuration File
```yaml
# ~/.stellaops/smart-diff.yaml
defaults:
output_format: json
include_proofs: true
min_priority: 0.3
scoring:
reachability_flip_up_weight: 1.0
kev_added_weight: 1.5
hardening_regression_weight: 0.8
rules:
custom_path: /path/to/custom-rules.json
```
## Related Commands
- `stellaops scan` - Full vulnerability scan
- `stellaops score replay` - Score replay
- `stellaops verify-bundle` - Verify proof bundles
## Related Documentation
- [Smart-Diff Air-Gap Workflows](../airgap/smart-diff-airgap-workflows.md)
- [SARIF Integration](../ci/sarif-integration.md)
- [Scoring Configuration](../ci/scoring-configuration.md)

323
docs/cli/triage-cli.md Normal file
View File

@@ -0,0 +1,323 @@
# Triage CLI Reference
**Sprint:** SPRINT_3600_0001_0001
**Task:** TRI-MASTER-0008 - Update CLI documentation with offline commands
## Overview
The Triage CLI provides commands for vulnerability triage, decision management, and offline workflows. It supports evidence-based decision making and audit-ready replay tokens.
## Commands
### stellaops triage list
List findings for triage.
```bash
stellaops triage list [OPTIONS]
```
#### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--scan-id <ID>` | Filter by scan ID | - |
| `--status <STATUS>` | Filter: `untriaged`, `affected`, `not_affected`, `wont_fix`, `false_positive` | all |
| `--priority-min <N>` | Minimum priority (0-1) | 0 |
| `--priority-max <N>` | Maximum priority (0-1) | 1 |
| `--sort <FIELD>` | Sort: `priority`, `vuln`, `component`, `created` | `priority` |
| `--format <FMT>` | Output: `table`, `json`, `csv` | `table` |
| `--limit <N>` | Max results | 50 |
| `--workspace <PATH>` | Offline workspace | - |
#### Examples
```bash
# List untriaged high-priority findings
stellaops triage list \
--scan-id scan-12345678 \
--status untriaged \
--priority-min 0.7
# Export for review
stellaops triage list \
--scan-id scan-12345678 \
--format json > findings.json
```
### stellaops triage show
Show finding details with evidence.
```bash
stellaops triage show <FINDING-ID> [OPTIONS]
```
#### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--show-evidence` | Include full evidence | `false` |
| `--evidence-first` | Lead with evidence summary | `false` |
| `--show-history` | Show decision history | `false` |
| `--format <FMT>` | Output: `text`, `json`, `yaml` | `text` |
| `--workspace <PATH>` | Offline workspace | - |
#### Example
```bash
# Show with evidence
stellaops triage show CVE-2024-1234 \
--show-evidence \
--evidence-first
# Output:
# ═══════════════════════════════════════════
# CVE-2024-1234 · pkg:npm/lodash@4.17.20
# ═══════════════════════════════════════════
#
# EVIDENCE
# ────────
# Reachability: TAINTED_SINK (tier 3/3)
# └─ api.js:42 → utils.js:15 → lodash/merge
#
# Call Stack:
# 1. api.js:42 handleUserInput()
# 2. utils.js:15 processData()
# 3. lodash:merge <vulnerable sink>
#
# VEX: No statement
# EPSS: 0.67 (High)
# KEV: No
#
# VULNERABILITY
# ─────────────
# CVE-2024-1234: Prototype Pollution in lodash
# CVSS: 7.5 (High)
# CWE: CWE-1321
#
# STATUS: untriaged
```
### stellaops triage decide
Record a triage decision.
```bash
stellaops triage decide <FINDING-ID> [OPTIONS]
```
#### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--status <STATUS>` | Required: `affected`, `not_affected`, `wont_fix`, `false_positive` | - |
| `--justification <TEXT>` | Decision justification | - |
| `--reviewer <NAME>` | Reviewer identifier | current user |
| `--vex-emit` | Emit VEX statement | `false` |
| `--workspace <PATH>` | Offline workspace | - |
#### Examples
```bash
# Mark as not affected
stellaops triage decide CVE-2024-1234 \
--status not_affected \
--justification "Feature gated, unreachable in production"
# Mark affected and emit VEX
stellaops triage decide CVE-2024-5678 \
--status affected \
--justification "In use, remediation planned" \
--vex-emit
```
### stellaops triage batch
Interactive batch triage mode.
```bash
stellaops triage batch [OPTIONS]
```
#### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--scan-id <ID>` | Scan to triage | - |
| `--query <EXPR>` | Filter expression | - |
| `--input <PATH>` | Offline bundle | - |
| `--workspace <PATH>` | Offline workspace | - |
#### Keyboard Shortcuts
| Key | Action |
|-----|--------|
| `j` / `↓` | Next finding |
| `k` / `↑` | Previous finding |
| `a` | Mark affected |
| `n` | Mark not affected |
| `w` | Mark won't fix |
| `f` | Mark false positive |
| `e` | Show full evidence |
| `g` | Show graph context |
| `u` | Undo last decision |
| `/` | Search findings |
| `?` | Show help |
| `q` | Save and quit |
#### Example
```bash
# Interactive triage
stellaops triage batch \
--scan-id scan-12345678 \
--query "priority>=0.5"
```
### stellaops triage export
Export findings for offline triage.
```bash
stellaops triage export [OPTIONS]
```
#### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--scan-id <ID>` | Scan to export | required |
| `--findings <IDS>` | Specific finding IDs (comma-separated) | - |
| `--all-findings` | Export all findings | `false` |
| `--include-evidence` | Include evidence data | `true` |
| `--include-graph` | Include dependency graph | `true` |
| `--output <PATH>` | Output path (.stella.bundle.tgz) | required |
| `--sign` | Sign the bundle | `true` |
#### Example
```bash
# Export specific findings
stellaops triage export \
--scan-id scan-12345678 \
--findings CVE-2024-1234,CVE-2024-5678 \
--output triage-bundle.stella.bundle.tgz
```
### stellaops triage import
Import offline bundle for triage.
```bash
stellaops triage import [OPTIONS]
```
#### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--input <PATH>` | Bundle path | required |
| `--workspace <PATH>` | Target workspace | `~/.stellaops/triage` |
| `--verify` | Verify signature | `true` |
| `--public-key <PATH>` | Public key for verification | - |
### stellaops triage export-decisions
Export decisions for sync.
```bash
stellaops triage export-decisions [OPTIONS]
```
#### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--workspace <PATH>` | Workspace path | required |
| `--output <PATH>` | Output path | required |
| `--format <FMT>` | Format: `json`, `ndjson` | `json` |
| `--sign` | Sign output | `true` |
### stellaops triage import-decisions
Import and apply decisions.
```bash
stellaops triage import-decisions [OPTIONS]
```
#### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--input <PATH>` | Decisions file | required |
| `--verify` | Verify signatures | `true` |
| `--apply` | Apply to server | `false` |
| `--dry-run` | Preview only | `false` |
| `--conflict-mode <MODE>` | Conflict handling: `keep-local`, `keep-server`, `newest`, `review` | `review` |
### stellaops triage verify-bundle
Verify bundle integrity.
```bash
stellaops triage verify-bundle [OPTIONS]
```
#### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--input <PATH>` | Bundle path | required |
| `--public-key <PATH>` | Public key | required |
| `--strict` | Fail on warnings | `false` |
### stellaops triage show-token
Display replay token details.
```bash
stellaops triage show-token <TOKEN>
```
### stellaops triage verify-token
Verify replay token.
```bash
stellaops triage verify-token <TOKEN> [OPTIONS]
```
#### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--public-key <PATH>` | Public key | required |
## Exit Codes
| Code | Meaning |
|------|---------|
| 0 | Success |
| 1 | Findings require attention |
| 10 | Invalid arguments |
| 11 | Resource not found |
| 20 | Verification failed |
| 21 | Signature invalid |
| 30 | Conflict detected |
| 99 | Internal error |
## Environment Variables
| Variable | Description |
|----------|-------------|
| `STELLAOPS_OFFLINE` | Enable offline mode |
| `STELLAOPS_TRIAGE_WORKSPACE` | Default workspace |
| `STELLAOPS_REVIEWER` | Default reviewer name |
## Related Documentation
- [Triage Air-Gap Workflows](../airgap/triage-airgap-workflows.md)
- [Keyboard Shortcuts](./keyboard-shortcuts.md)
- [Triage API Reference](../api/triage-api.md)

Some files were not shown because too many files have changed in this diff Show More