stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/schemas/scanner-entrytrace-baseline.schema.json
StellaOps Bot 0de92144d2
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
mock-dev-release / package-mock-release (push) Has been cancelled
Details
feat(api): Implement Console Export Client and Models 
- Added ConsoleExportClient for managing export requests and responses.
- Introduced ConsoleExportRequest and ConsoleExportResponse models.
- Implemented methods for creating and retrieving exports with appropriate headers.

feat(crypto): Add Software SM2/SM3 Cryptography Provider

- Implemented SmSoftCryptoProvider for software-only SM2/SM3 cryptography.
- Added support for signing and verification using SM2 algorithm.
- Included hashing functionality with SM3 algorithm.
- Configured options for loading keys from files and environment gate checks.

test(crypto): Add unit tests for SmSoftCryptoProvider

- Created comprehensive tests for signing, verifying, and hashing functionalities.
- Ensured correct behavior for key management and error handling.

feat(api): Enhance Console Export Models

- Expanded ConsoleExport models to include detailed status and event types.
- Added support for various export formats and notification options.

test(time): Implement TimeAnchorPolicyService tests

- Developed tests for TimeAnchorPolicyService to validate time anchors.
- Covered scenarios for anchor validation, drift calculation, and policy enforcement.
2025-12-07 00:27:33 +02:00

678 lines
18 KiB
JSON
Raw Permalink Blame History

{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/scanner-entrytrace-baseline.schema.json",
"title": "StellaOps Scanner EntryTrace Baseline Schema",
"description": "Schema for EntryTrace heuristics, baseline configurations, and entry point detection. Unblocks SCANNER-ENTRYTRACE-18-503 through 18-508 (5+ tasks).",
"type": "object",
"definitions": {
"EntryTraceConfig": {
"type": "object",
"description": "EntryTrace configuration",
"required": ["config_id", "language"],
"properties": {
"config_id": {
"type": "string"
},
"language": {
"type": "string",
"enum": ["java", "python", "javascript", "typescript", "go", "ruby", "php", "csharp", "rust"],
"description": "Target language"
},
"version": {
"type": "string"
},
"entry_point_patterns": {
"type": "array",
"items": {
"$ref": "#/definitions/EntryPointPattern"
}
},
"framework_configs": {
"type": "array",
"items": {
"$ref": "#/definitions/FrameworkConfig"
}
},
"heuristics": {
"$ref": "#/definitions/HeuristicsConfig"
},
"exclusions": {
"$ref": "#/definitions/ExclusionConfig"
}
}
},
"EntryPointPattern": {
"type": "object",
"description": "Pattern for detecting entry points",
"required": ["pattern_id", "type", "pattern"],
"properties": {
"pattern_id": {
"type": "string"
},
"type": {
"type": "string",
"enum": ["annotation", "decorator", "function_name", "class_name", "file_pattern", "import_pattern", "ast_pattern"],
"description": "Pattern type"
},
"pattern": {
"type": "string",
"description": "Regex or AST pattern"
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1,
"description": "Confidence level for this pattern"
},
"entry_type": {
"type": "string",
"enum": ["http_endpoint", "grpc_method", "cli_command", "event_handler", "scheduled_job", "message_consumer", "test_method"],
"description": "Type of entry point detected"
},
"framework": {
"type": "string",
"description": "Associated framework (e.g., spring, express, django)"
},
"metadata_extraction": {
"$ref": "#/definitions/MetadataExtraction"
}
}
},
"MetadataExtraction": {
"type": "object",
"description": "Rules for extracting metadata from entry points",
"properties": {
"http_method": {
"type": "string",
"description": "Pattern to extract HTTP method"
},
"route_path": {
"type": "string",
"description": "Pattern to extract route path"
},
"parameters": {
"type": "string",
"description": "Pattern to extract parameters"
},
"auth_required": {
"type": "string",
"description": "Pattern to detect auth requirements"
}
}
},
"FrameworkConfig": {
"type": "object",
"description": "Framework-specific configuration",
"required": ["framework_id", "name"],
"properties": {
"framework_id": {
"type": "string"
},
"name": {
"type": "string"
},
"version_range": {
"type": "string",
"description": "Supported version range (semver)"
},
"detection_patterns": {
"type": "array",
"items": {
"type": "string"
},
"description": "Patterns to detect framework usage"
},
"entry_patterns": {
"type": "array",
"items": {
"type": "string"
},
"description": "Entry point pattern IDs for this framework"
},
"router_file_patterns": {
"type": "array",
"items": {
"type": "string"
},
"description": "Glob patterns for router/route files"
},
"controller_patterns": {
"type": "array",
"items": {
"type": "string"
},
"description": "Patterns to identify controller classes"
}
}
},
"HeuristicsConfig": {
"type": "object",
"description": "Heuristics configuration for entry point detection",
"properties": {
"enable_static_analysis": {
"type": "boolean",
"default": true
},
"enable_dynamic_hints": {
"type": "boolean",
"default": false,
"description": "Use runtime hints if available"
},
"confidence_threshold": {
"type": "number",
"minimum": 0,
"maximum": 1,
"default": 0.7,
"description": "Minimum confidence to report entry point"
},
"max_depth": {
"type": "integer",
"minimum": 1,
"default": 10,
"description": "Maximum call graph depth to analyze"
},
"timeout_seconds": {
"type": "integer",
"default": 300,
"description": "Analysis timeout per file"
},
"scoring_weights": {
"$ref": "#/definitions/ScoringWeights"
}
}
},
"ScoringWeights": {
"type": "object",
"description": "Weights for confidence scoring",
"properties": {
"annotation_match": {
"type": "number",
"default": 0.9
},
"naming_convention": {
"type": "number",
"default": 0.6
},
"file_location": {
"type": "number",
"default": 0.5
},
"import_analysis": {
"type": "number",
"default": 0.7
},
"call_graph_centrality": {
"type": "number",
"default": 0.4
}
}
},
"ExclusionConfig": {
"type": "object",
"description": "Exclusion rules",
"properties": {
"exclude_paths": {
"type": "array",
"items": {
"type": "string"
},
"description": "Glob patterns to exclude"
},
"exclude_packages": {
"type": "array",
"items": {
"type": "string"
},
"description": "Package names to exclude"
},
"exclude_test_files": {
"type": "boolean",
"default": true
},
"exclude_generated": {
"type": "boolean",
"default": true
}
}
},
"EntryPoint": {
"type": "object",
"description": "Detected entry point",
"required": ["entry_id", "type", "location"],
"properties": {
"entry_id": {
"type": "string"
},
"type": {
"type": "string",
"enum": ["http_endpoint", "grpc_method", "cli_command", "event_handler", "scheduled_job", "message_consumer", "test_method"]
},
"name": {
"type": "string"
},
"location": {
"$ref": "#/definitions/CodeLocation"
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1
},
"framework": {
"type": "string"
},
"http_metadata": {
"$ref": "#/definitions/HttpMetadata"
},
"parameters": {
"type": "array",
"items": {
"$ref": "#/definitions/ParameterInfo"
}
},
"reachable_vulnerabilities": {
"type": "array",
"items": {
"type": "string"
},
"description": "CVE IDs reachable from this entry point"
},
"call_paths": {
"type": "array",
"items": {
"$ref": "#/definitions/CallPath"
}
},
"detection_method": {
"type": "string",
"description": "Pattern ID that detected this entry"
}
}
},
"CodeLocation": {
"type": "object",
"description": "Source code location",
"required": ["file_path"],
"properties": {
"file_path": {
"type": "string"
},
"line_start": {
"type": "integer"
},
"line_end": {
"type": "integer"
},
"column_start": {
"type": "integer"
},
"column_end": {
"type": "integer"
},
"function_name": {
"type": "string"
},
"class_name": {
"type": "string"
},
"package_name": {
"type": "string"
}
}
},
"HttpMetadata": {
"type": "object",
"description": "HTTP endpoint metadata",
"properties": {
"method": {
"type": "string",
"enum": ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"]
},
"path": {
"type": "string"
},
"path_parameters": {
"type": "array",
"items": {
"type": "string"
}
},
"query_parameters": {
"type": "array",
"items": {
"type": "string"
}
},
"consumes": {
"type": "array",
"items": {
"type": "string"
}
},
"produces": {
"type": "array",
"items": {
"type": "string"
}
},
"auth_required": {
"type": "boolean"
},
"auth_scopes": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"ParameterInfo": {
"type": "object",
"description": "Entry point parameter",
"properties": {
"name": {
"type": "string"
},
"type": {
"type": "string"
},
"source": {
"type": "string",
"enum": ["path", "query", "header", "body", "form", "cookie"]
},
"required": {
"type": "boolean"
},
"tainted": {
"type": "boolean",
"description": "Whether this is a potential taint source"
}
}
},
"CallPath": {
"type": "object",
"description": "Call path from entry point to vulnerability",
"properties": {
"target_vulnerability": {
"type": "string",
"description": "CVE ID or vulnerability identifier"
},
"path_length": {
"type": "integer"
},
"calls": {
"type": "array",
"items": {
"$ref": "#/definitions/CallSite"
}
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1
}
}
},
"CallSite": {
"type": "object",
"description": "Individual call in call path",
"properties": {
"caller": {
"type": "string"
},
"callee": {
"type": "string"
},
"location": {
"$ref": "#/definitions/CodeLocation"
},
"call_type": {
"type": "string",
"enum": ["direct", "virtual", "interface", "reflection", "lambda"]
}
}
},
"BaselineReport": {
"type": "object",
"description": "EntryTrace baseline analysis report",
"required": ["report_id", "scan_id", "entry_points"],
"properties": {
"report_id": {
"type": "string",
"format": "uuid"
},
"scan_id": {
"type": "string"
},
"generated_at": {
"type": "string",
"format": "date-time"
},
"config_used": {
"type": "string",
"description": "Config ID used for analysis"
},
"entry_points": {
"type": "array",
"items": {
"$ref": "#/definitions/EntryPoint"
}
},
"statistics": {
"$ref": "#/definitions/BaselineStatistics"
},
"frameworks_detected": {
"type": "array",
"items": {
"type": "string"
}
},
"analysis_duration_ms": {
"type": "integer"
},
"digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
}
}
},
"BaselineStatistics": {
"type": "object",
"description": "Baseline analysis statistics",
"properties": {
"total_entry_points": {
"type": "integer"
},
"by_type": {
"type": "object",
"additionalProperties": {
"type": "integer"
}
},
"by_framework": {
"type": "object",
"additionalProperties": {
"type": "integer"
}
},
"by_confidence": {
"type": "object",
"properties": {
"high": {
"type": "integer"
},
"medium": {
"type": "integer"
},
"low": {
"type": "integer"
}
}
},
"files_analyzed": {
"type": "integer"
},
"files_skipped": {
"type": "integer"
},
"reachable_vulnerabilities": {
"type": "integer"
}
}
}
},
"properties": {
"configs": {
"type": "array",
"items": {
"$ref": "#/definitions/EntryTraceConfig"
}
},
"baseline_reports": {
"type": "array",
"items": {
"$ref": "#/definitions/BaselineReport"
}
}
},
"examples": [
{
"configs": [
{
"config_id": "java-spring-baseline",
"language": "java",
"version": "1.0.0",
"entry_point_patterns": [
{
"pattern_id": "spring-request-mapping",
"type": "annotation",
"pattern": "@(Get|Post|Put|Delete|Patch|Request)Mapping",
"confidence": 0.95,
"entry_type": "http_endpoint",
"framework": "spring",
"metadata_extraction": {
"http_method": "annotation.name.replace('Mapping', '').toUpperCase()",
"route_path": "annotation.value || annotation.path"
}
},
{
"pattern_id": "spring-rest-controller",
"type": "annotation",
"pattern": "@RestController",
"confidence": 0.9,
"entry_type": "http_endpoint",
"framework": "spring"
},
{
"pattern_id": "spring-scheduled",
"type": "annotation",
"pattern": "@Scheduled",
"confidence": 0.95,
"entry_type": "scheduled_job",
"framework": "spring"
}
],
"framework_configs": [
{
"framework_id": "spring-boot",
"name": "Spring Boot",
"version_range": ">=2.0.0",
"detection_patterns": [
"org.springframework.boot",
"@SpringBootApplication"
],
"entry_patterns": ["spring-request-mapping", "spring-rest-controller", "spring-scheduled"],
"router_file_patterns": ["**/controller/**/*.java", "**/rest/**/*.java"],
"controller_patterns": [".*Controller$", ".*Resource$"]
}
],
"heuristics": {
"enable_static_analysis": true,
"enable_dynamic_hints": false,
"confidence_threshold": 0.7,
"max_depth": 15,
"timeout_seconds": 600,
"scoring_weights": {
"annotation_match": 0.95,
"naming_convention": 0.6,
"file_location": 0.5,
"import_analysis": 0.7,
"call_graph_centrality": 0.4
}
},
"exclusions": {
"exclude_paths": ["**/test/**", "**/generated/**"],
"exclude_packages": ["org.springframework.test"],
"exclude_test_files": true,
"exclude_generated": true
}
}
],
"baseline_reports": [
{
"report_id": "550e8400-e29b-41d4-a716-446655440000",
"scan_id": "scan-2025-12-06-001",
"generated_at": "2025-12-06T10:00:00Z",
"config_used": "java-spring-baseline",
"entry_points": [
{
"entry_id": "ep-001",
"type": "http_endpoint",
"name": "getUserById",
"location": {
"file_path": "src/main/java/com/example/UserController.java",
"line_start": 25,
"line_end": 35,
"function_name": "getUserById",
"class_name": "UserController",
"package_name": "com.example"
},
"confidence": 0.95,
"framework": "spring",
"http_metadata": {
"method": "GET",
"path": "/api/users/{id}",
"path_parameters": ["id"],
"auth_required": true
},
"parameters": [
{
"name": "id",
"type": "Long",
"source": "path",
"required": true,
"tainted": true
}
],
"reachable_vulnerabilities": ["CVE-2023-1234"],
"detection_method": "spring-request-mapping"
}
],
"statistics": {
"total_entry_points": 45,
"by_type": {
"http_endpoint": 40,
"scheduled_job": 3,
"message_consumer": 2
},
"by_framework": {
"spring": 45
},
"by_confidence": {
"high": 38,
"medium": 5,
"low": 2
},
"files_analyzed": 120,
"files_skipped": 15,
"reachable_vulnerabilities": 12
},
"frameworks_detected": ["spring-boot"],
"analysis_duration_ms": 45000,
"digest": "sha256:entry123def456789012345678901234567890123456789012345678901234entry"
}
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink