# 31-Nov-2025 – FINDINGS (Gap Consolidation)

## Purpose
This advisory consolidates late-November gap findings across Scanner, SBOM/VEX spine, competitor ingest, and other cross-cutting areas. It enumerates remediation tracks referenced by multiple sprints (for example SPRINT_0186_0001_0001_record_deterministic_execution.md) so implementation teams can scope work without waiting on scattered notes.

## Scope & Status
- **Created:** 2025-12-02 (retroactive to 2025-11-30 findings review)
- **Applies to:** Scanner, Sbomer, Policy/Authority, CLI/UI, Observability, Offline/Release
- **Priority sets included:** SC1–SC10 (Scanner), SP1–SP10 (SBOM/VEX spine), CM1–CM10 (Competitor ingest). Other gap families remain to be catalogued; see "Pending families" below.

## SC (Scanner Blueprint) Gaps — SC1–SC10
1. **SC1 — Standards convergence roadmap**: Land coordinated adoption of CVSS v4.0, CycloneDX 1.7 (incl. CBOM), and SLSA 1.2 in scanner outputs and docs.
2. **SC2 — CDX 1.7 + CBOM exports**: Produce deterministic CycloneDX 1.7 with CBOM sections and embedded evidence citations.
3. **SC3 — SLSA Source Track capture**: Capture source-trace fields (build provenance, source repo refs, build-id) in replay bundles.
4. **SC4 — Compatibility adapters**: Provide downgrade adapters (CVSS v4→v3.1, CDX 1.7→1.6, SLSA 1.2→1.0) with deterministic mapping tables.
5. **SC5 — Determinism CI for new formats**: Add CI checks/harnesses ensuring stable ordering/hashes for new schemas.
6. **SC6 — Binary/source evidence alignment**: Align binary evidence (build-id, symbols, patch oracle) with source SBOM/VEX outputs.
7. **SC7 — API/UI surfacing**: Expose the new metadata in surface API and console (filters, columns, download endpoints).
8. **SC8 — Baseline fixtures**: Curate fixture set covering v4 scoring, CBOM, SLSA 1.2, and evidence chips for regression.
9. **SC9 — Governance/approvals**: Define review gates/approvers for schema bumps and downgrade mappings.
10. **SC10 — Offline-kit parity**: Ensure offline kits ship frozen schemas, mappings, and fixtures for the above.

## SP (SBOM/VEX Spine) Gaps — SP1–SP10
1. **SP1 — Versioned API/DTO schemas**: Introduce versioned SBOM/VEX spine schemas with explicit migration rules.
2. **SP2 — Predicate/edge evidence requirements**: Mandate evidence fields per predicate/edge (e.g., reachability proof, package identity, build metadata).
3. **SP3 — Unknowns workflow contract**: Define lifecycle/SLA for Unknowns registry entries and their surfacing in spine APIs.
4. **SP4 — DSSE-signed bundle manifest**: Require DSSE-signed manifest including hash listings for every spine artifact.
5. **SP5 — Deterministic diff rules/fixtures**: Specify canonical diff rules and fixtures for SBOM/VEX deltas.
6. **SP6 — Feed snapshot freeze/staleness**: Codify snapshot/policy freshness guarantees and staleness thresholds.
7. **SP7 — Mandated DSSE per stage**: Enforce DSSE signatures per processing stage with Rekor/mirror policies (online/offline).
8. **SP8 — Policy lattice versioning**: Version the policy lattice and embed version refs into spine objects.
9. **SP9 — Performance/pagination limits**: Set deterministic pagination/ordering and perf budgets for API queries.
10. **SP10 — Crosswalk mappings**: Provide crosswalk between SBOM/VEX/graph/policy outputs for auditors and tooling.

## CM (Competitor Ingest) Gaps — CM1–CM10
1. **CM1 — Normalization adapters**: Harden ingest adapters for Syft/Trivy/Clair (SBOM + vuln scan) into StellaOps schemas.
2. **CM2 — Signature/provenance verification**: Verify external SBOM/scan signatures and provenance before acceptance; reject/flag unverifiable payloads.
3. **CM3 — Snapshot governance**: Enforce DB snapshot versioning, freshness SLAs, and rollback plans for imported feeds.
4. **CM4 — Anomaly regression tests**: Add regression tests for known ingest anomalies (schema drift, nullables, encoding, ordering).
5. **CM5 — Offline ingest kits**: Provide offline kits with DSSE-signed adapters, mappings, and fixtures for external SBOM/scan imports.
6. **CM6 — Fallback rules**: Define fallback hierarchy when external data is incomplete (prefer signed SBOM → unsigned SBOM → scan results → policy defaults).
7. **CM7 — Source transparency**: Persist source tool/version/hash metadata and expose it in APIs/exports.
8. **CM8 — Benchmark parity**: Maintain benchmark parity with upstream tool baselines (version-pinned, hash-logged runs).
9. **CM9 — Ecosystem coverage**: Track coverage per ecosystem (container, Java, Python, .NET, Go, OS packages) and gaps for ingest support.
10. **CM10 — Error resilience & retries**: Standardize retry/backoff/error classification for ingest pipeline; surface diagnostics deterministically.

## OK (Offline Kit) Gaps — OK1–OK10
1. **OK1 — Key manifest + PQ co-sign**: Record key IDs and PQ dual-sign toggle in bundle meta; rotate keys ≤90 days. Evidence: `out/mirror/thin/mirror-thin-v1.bundle.json` (`chain_of_custody.keyid`) and `layers/offline-kit-policy.json`.
2. **OK2 — Tool hashing/signing**: Hash build/sign/verify tools and pin them in bundle meta (`tooling.*`); DSSE envelopes cover manifest + bundle meta.
3. **OK3 — DSSE top-level manifest**: Ship DSSE for bundle meta (`mirror-thin-v1.bundle.dsse.json`) linking manifest, tarball, policies, and optional OCI layout.
4. **OK4 — Checkpoint freshness + mirror metadata**: Enforce `checkpoint_freshness_seconds` and timestamped `created` in bundle meta; require checkpoints in `transport-plan.json`.
5. **OK5 — Deterministic packaging flags**: Capture tar/gzip flags in `layers/offline-kit-policy.json` and verify via `scripts/mirror/verify_thin_bundle.py` determinism checks.
6. **OK6 — Scan/VEX/policy/graph hashes**: Include `layers/artifact-hashes.json` with digests for scan/vex/policy/graph fixtures and reference from bundle meta.
7. **OK7 — Time anchor bundling**: Embed `layers/time-anchor.json` digest in bundle meta and surface trust-root path for AIRGAP-TIME.
8. **OK8 — Transport/chunking + chain-of-custody**: Define chunk sizing, retry policy, and signed chain-of-custody in `layers/transport-plan.json` (includes build/sign digests + keyid).
9. **OK9 — Tenant/environment scoping**: Require `tenant`/`environment` fields in bundle meta; verifier enforces via `--tenant/--environment` flags.
10. **OK10 — Scripted verify + negative paths**: `scripts/mirror/verify_thin_bundle.py` validates required layers, DSSE, sidecars, tool hashes, and scope; fails fast on missing/stale artefacts.

## RK (Rekor) Gaps — RK1–RK10
1. **RK1 — DSSE/hashedrekord only**: `layers/rekor-policy.json` sets `rk1_enforceDsse=true` and routes both public/private to hashedrekord.
2. **RK2 — Payload size preflight + chunks**: `rk2_payloadMaxBytes=1048576` with chunking guidance in `transport-plan.json`.
3. **RK3 — Public/private routing policy**: Explicit routing map (`rk3_routing`) for shard-aware submission.
4. **RK4 — Shard-aware checkpoints**: `rk4_shardCheckpoint="per-tenant-per-day"` plus checkpoint freshness from bundle meta.
5. **RK5 — Idempotent submission keys**: `rk5_idempotentKeys=true` to prevent duplicate entries.
6. **RK6 — Sigstore bundles in kits**: `rk6_sigstoreBundleIncluded=true`; bundle meta lists DSSE artefacts for offline kits.
7. **RK7 — Checkpoint freshness bounds**: `rk7_checkpointFreshnessSeconds` mirrors bundle freshness budget.
8. **RK8 — PQ dual-sign options**: `rk8_pqDualSign` mirrors PQ toggle (env `PQ_CO_SIGN_REQUIRED`).
9. **RK9 — Error taxonomy/backoff**: Enumerated in `rk9_errorTaxonomy` and retried per `transport-plan.json` retry policy.
10. **RK10 — Policy/graph annotations**: `rk10_annotations` require policy + graph context inside DSSE/bundle records.

## MS (Mirror Strategy) Gaps — MS1–MS10
1. **MS1 — Signed/versioned mirror schemas**: `layers/mirror-policy.json` tracks `schemaVersion` + semver; DSSE of bundle meta ties schema to artefacts.
2. **MS2 — DSSE/TUF rotation policy (incl. PQ)**: `dsseTufRotationDays=30` and `pqDualSign` toggle documented in mirror policy and bundle meta.
3. **MS3 — Delta spec with tombstones/base hash**: Mirror policy `delta` enforces tombstones and base-hash requirements for deltas.
4. **MS4 — Time-anchor freshness enforcement**: `timeAnchorFreshnessSeconds` plus bundled `time-anchor.json` digest.
5. **MS5 — Tenant/env scoping**: Tenant/environment fields required in bundle meta; verifier flags mismatches.
6. **MS6 — Distribution integrity (HTTP/OCI/object)**: `distributionIntegrity` enumerates integrity strategies for each transport.
7. **MS7 — Chunking/size rules**: `chunking.sizeBytes` + `maxChunks` pinned in mirror policy and reflected in transport plan.
8. **MS8 — Standard verify script**: `verifyScript` references `scripts/mirror/verify_thin_bundle.py`; bundle meta recorded in DSSE envelope.
9. **MS9 — Metrics/alerts**: Mirror policy `metrics` marks build/import/verify signals required for observability.
10. **MS10 — SemVer/change log**: `changelog` block declares current format version; future bumps must be appended with deterministic notes.

## Pending Families (to be expanded)
The following gap families were referenced in November indices and still need detailed findings written out:
- CV1–CV10 (CVSS v4 receipts), CVM1–CVM10 (momentum), FC1–FC10 (SCA fixture gaps), OB1–OB10 (onboarding), IG1–IG10 (implementor guidance), RR1–RR10 (Rekor receipts), SK1–SK10 (standups), MI1–MI10 (UI micro-interactions), PVX1–PVX10 (Proof-linked VEX UI), TTE1–TTE10 (Time-to-Evidence), AR-EP1…AR-VB1 (archived advisories revival), BP1–BP10 (SBOM→VEX proof pipeline), UT1–UT10 (unknown heuristics), CE1–CE10 (evidence patterns), ET1–ET10 (ecosystem fixtures), RB1–RB10 (reachability fixtures), G1–G12 / RD1–RD10 (reachability benchmark/dataset), UN1–UN10 (unknowns registry), U1–U10 (decay), EX1–EX10 (explainability), VEX1–VEX10 (VEX claims), BR1–BR10 (binary reachability), VT1–VT10 (triage), PL1–PL10 (plugin arch), EB1–EB10 (evidence baseline), EC1–EC10 (export center), AT1–AT10 (automation), OK1–OK10 / RK1–RK10 / MS1–MS10 (offline/mirror/Rekor kits), TP1–TP10 (task packs), AU1–AU10 (auth), CL1–CL10 (CLI), OR1–OR10 (orchestrator), ZR1–ZR10 (Zastava), NR1–NR10 (Notify), GA1–GA10 (graph analytics), TO1–TO10 (telemetry), PS1–PS10 (policy), FL1–FL10 (ledger), CI1–CI10 (Concelier ingest).

Each pending family should be expanded in this document (or split into dedicated, linked supplements) with numbered findings, recommended evidence, and deterministic test/fixture expectations.

## Decision Trace
- This document was created to satisfy sprint and index references to “31-Nov-2025 FINDINGS.md” and unblock gap-remediation tasks across Scanner/SBOM/VEX and ingest tracks.