master
02e384a7d6
- Implemented tests for RancherHubConnector to validate fetching documents, handling errors, and managing state. - Added tests for CsafExporter to ensure deterministic serialization of CSAF documents. - Created tests for CycloneDX exporters and reconciler to verify correct handling of VEX claims and output structure. - Developed OpenVEX exporter tests to confirm the generation of canonical OpenVEX documents and statement merging logic. - Introduced Rust file caching and license scanning functionality, including a cache key structure and hash computation. - Added sample Cargo.toml and LICENSE files for testing Rust license scanning functionality.
1.3 KiB
1.3 KiB
AOC Normalization Removal Notes
Last updated: 2025-10-29
Goal
Document follow-up actions for CONCELIER-CORE-AOC-19-004 as we unwind the final pieces of normalization from the ingestion/runtime path.
Current Findings
AdvisoryRawServiceandMongoAdvisoryRawRepositoryalready preserve upstream ordering and duplicate aliases (trim-only). No additional code changes required there.- Observation layers (
AdvisoryObservationFactory,AdvisoryObservationQueryService) still canonicalise aliases, PURLs, CPEs, and references. These need to be relaxed so Policy/overlays receive raw linksets and can own dedupe logic. - Linkset mapper continues to emit deterministic hints. We will keep the mapper but ensure observation output can surface both raw and canonical views for downstream services.
Next Steps
- Introduce a raw linkset projection alongside the existing canonical mapper so Policy Engine can choose which flavour to consume.
- Update observation factory/query tests to assert duplicate handling and ordering with the relaxed projection.
- Refresh docs (
docs/ingestion/aggregation-only-contract.md) once behaviour lands to explain the “raw vs canonical linkset” split. - Coordinate with Policy Guild to validate consumers against the new raw projection before flipping defaults.