8768c27f30
- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties. - Implemented JSON serialization attributes for proper data interchange. - Created project files for the new signal contracts library and corresponding test projects. - Added deterministic test fixtures for micro-interaction testing. - Included cryptographic keys for secure operations with cosign.
282 lines
8.3 KiB
JSON
282 lines
8.3 KiB
JSON
{
|
|
"$id": "https://stella.ops/schema/mirror-bundle.json",
|
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
"title": "MirrorBundle",
|
|
"description": "Air-gap mirror bundle format for offline operation with DSSE signature support",
|
|
"type": "object",
|
|
"required": [
|
|
"schemaVersion",
|
|
"generatedAt",
|
|
"domainId",
|
|
"exports"
|
|
],
|
|
"properties": {
|
|
"schemaVersion": {
|
|
"type": "integer",
|
|
"minimum": 1,
|
|
"description": "Bundle schema version for compatibility"
|
|
},
|
|
"generatedAt": {
|
|
"type": "string",
|
|
"format": "date-time",
|
|
"description": "ISO-8601 timestamp when bundle was generated"
|
|
},
|
|
"targetRepository": {
|
|
"type": "string",
|
|
"description": "Target OCI repository for this bundle (optional)"
|
|
},
|
|
"domainId": {
|
|
"type": "string",
|
|
"description": "Domain identifier for bundle categorization",
|
|
"examples": ["vex-advisories", "vulnerability-feeds", "policy-packs"]
|
|
},
|
|
"displayName": {
|
|
"type": "string",
|
|
"description": "Human-readable domain display name"
|
|
},
|
|
"exports": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/$defs/BundleExport"
|
|
},
|
|
"minItems": 1,
|
|
"description": "Exported data sets in this bundle"
|
|
}
|
|
},
|
|
"$defs": {
|
|
"BundleExport": {
|
|
"type": "object",
|
|
"required": [
|
|
"key",
|
|
"format",
|
|
"exportId",
|
|
"createdAt",
|
|
"artifactDigest"
|
|
],
|
|
"properties": {
|
|
"key": {
|
|
"type": "string",
|
|
"description": "Export identifier key",
|
|
"examples": ["vex-openvex-all", "vuln-critical-cve"]
|
|
},
|
|
"format": {
|
|
"type": "string",
|
|
"enum": ["openvex", "csaf", "cyclonedx", "spdx", "ndjson", "json"],
|
|
"description": "Export data format"
|
|
},
|
|
"exportId": {
|
|
"type": "string",
|
|
"format": "uuid",
|
|
"description": "Unique export execution identifier"
|
|
},
|
|
"querySignature": {
|
|
"type": "string",
|
|
"description": "Hash of query parameters used for this export"
|
|
},
|
|
"createdAt": {
|
|
"type": "string",
|
|
"format": "date-time",
|
|
"description": "When this export was created"
|
|
},
|
|
"artifactSizeBytes": {
|
|
"type": "integer",
|
|
"minimum": 0,
|
|
"description": "Size of the exported artifact in bytes"
|
|
},
|
|
"artifactDigest": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$",
|
|
"description": "SHA-256 digest of the artifact"
|
|
},
|
|
"consensusRevision": {
|
|
"type": "string",
|
|
"description": "Consensus revision for VEX exports"
|
|
},
|
|
"policyRevisionId": {
|
|
"type": "string",
|
|
"description": "Policy revision ID if policy was applied"
|
|
},
|
|
"policyDigest": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$",
|
|
"description": "Policy content digest"
|
|
},
|
|
"consensusDigest": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$",
|
|
"description": "Consensus document digest"
|
|
},
|
|
"scoreDigest": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$",
|
|
"description": "Score document digest"
|
|
},
|
|
"sourceProviders": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"description": "VEX providers included in this export"
|
|
},
|
|
"attestation": {
|
|
"$ref": "#/$defs/AttestationDescriptor",
|
|
"description": "Attestation for this export if signed"
|
|
}
|
|
}
|
|
},
|
|
"AttestationDescriptor": {
|
|
"type": "object",
|
|
"required": ["predicateType"],
|
|
"properties": {
|
|
"predicateType": {
|
|
"type": "string",
|
|
"format": "uri",
|
|
"description": "in-toto predicate type URI"
|
|
},
|
|
"rekorLocation": {
|
|
"type": "string",
|
|
"format": "uri",
|
|
"description": "Sigstore Rekor transparency log entry"
|
|
},
|
|
"envelopeDigest": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$",
|
|
"description": "DSSE envelope digest"
|
|
},
|
|
"signedAt": {
|
|
"type": "string",
|
|
"format": "date-time",
|
|
"description": "When the attestation was signed"
|
|
}
|
|
}
|
|
},
|
|
"BundleSignature": {
|
|
"type": "object",
|
|
"required": ["algorithm", "keyId", "signedAt"],
|
|
"properties": {
|
|
"path": {
|
|
"type": "string",
|
|
"description": "Relative path to signature file"
|
|
},
|
|
"algorithm": {
|
|
"type": "string",
|
|
"description": "Signing algorithm used",
|
|
"examples": ["ES256", "RS256", "EdDSA"]
|
|
},
|
|
"keyId": {
|
|
"type": "string",
|
|
"description": "Key identifier used for signing"
|
|
},
|
|
"provider": {
|
|
"type": "string",
|
|
"description": "Crypto provider name"
|
|
},
|
|
"signedAt": {
|
|
"type": "string",
|
|
"format": "date-time",
|
|
"description": "When the bundle was signed"
|
|
}
|
|
}
|
|
},
|
|
"BundleManifest": {
|
|
"type": "object",
|
|
"required": ["schemaVersion", "generatedAt", "domainId", "bundle"],
|
|
"description": "Domain manifest pointing to bundle and exports",
|
|
"properties": {
|
|
"schemaVersion": {
|
|
"type": "integer"
|
|
},
|
|
"generatedAt": {
|
|
"type": "string",
|
|
"format": "date-time"
|
|
},
|
|
"domainId": {
|
|
"type": "string"
|
|
},
|
|
"displayName": {
|
|
"type": "string"
|
|
},
|
|
"targetRepository": {
|
|
"type": "string"
|
|
},
|
|
"bundle": {
|
|
"$ref": "#/$defs/FileDescriptor"
|
|
},
|
|
"exports": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/$defs/ManifestExportEntry"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"FileDescriptor": {
|
|
"type": "object",
|
|
"required": ["path", "sizeBytes", "digest"],
|
|
"properties": {
|
|
"path": {
|
|
"type": "string",
|
|
"description": "Relative file path"
|
|
},
|
|
"sizeBytes": {
|
|
"type": "integer",
|
|
"minimum": 0
|
|
},
|
|
"digest": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$"
|
|
},
|
|
"signature": {
|
|
"$ref": "#/$defs/BundleSignature"
|
|
}
|
|
}
|
|
},
|
|
"ManifestExportEntry": {
|
|
"type": "object",
|
|
"required": ["key", "format", "exportId", "createdAt", "artifactDigest"],
|
|
"properties": {
|
|
"key": { "type": "string" },
|
|
"format": { "type": "string" },
|
|
"exportId": { "type": "string" },
|
|
"querySignature": { "type": "string" },
|
|
"createdAt": { "type": "string", "format": "date-time" },
|
|
"artifactDigest": { "type": "string" },
|
|
"artifactSizeBytes": { "type": "integer" },
|
|
"consensusRevision": { "type": "string" },
|
|
"policyRevisionId": { "type": "string" },
|
|
"policyDigest": { "type": "string" },
|
|
"consensusDigest": { "type": "string" },
|
|
"scoreDigest": { "type": "string" },
|
|
"sourceProviders": { "type": "array", "items": { "type": "string" } },
|
|
"attestation": { "$ref": "#/$defs/AttestationDescriptor" }
|
|
}
|
|
}
|
|
},
|
|
"examples": [
|
|
{
|
|
"schemaVersion": 1,
|
|
"generatedAt": "2025-11-21T10:00:00Z",
|
|
"targetRepository": "oci://registry.internal/stella/mirrors",
|
|
"domainId": "vex-advisories",
|
|
"displayName": "VEX Advisories",
|
|
"exports": [
|
|
{
|
|
"key": "vex-openvex-all",
|
|
"format": "openvex",
|
|
"exportId": "550e8400-e29b-41d4-a716-446655440000",
|
|
"querySignature": "abc123def456",
|
|
"createdAt": "2025-11-21T10:00:00Z",
|
|
"artifactSizeBytes": 1048576,
|
|
"artifactDigest": "sha256:7d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aee",
|
|
"sourceProviders": ["anchore", "github", "redhat"],
|
|
"attestation": {
|
|
"predicateType": "https://stella.ops/attestation/vex-export/v1",
|
|
"signedAt": "2025-11-21T10:00:01Z",
|
|
"envelopeDigest": "sha256:8d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aef"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|