3.3 KiB
3.3 KiB
TASKS
| Task | Owner(s) | Depends on | Notes |
|---|---|---|---|
| Ecosystem fetchers (npm, pypi, maven, go, crates) | BE-Conn-OSV | Source.Common | DONE – archive fetch loop iterates ecosystems with pagination + change gating. |
| OSV options & HttpClient configuration | BE-Conn-OSV | Source.Common | DONE – OsvOptions + AddOsvConnector configure allowlisted HttpClient. |
| DTO validation + sanitizer | BE-Conn-OSV | Source.Common | DONE – JSON deserialization sanitizes payloads before persistence; schema enforcement deferred. |
| Mapper to canonical SemVer ranges | BE-Conn-OSV | Models | DONE – OsvMapper emits SemVer ranges with provenance metadata.2025-10-11 research trail: ensure NormalizedVersions array uses payloads such as [{"scheme":"semver","type":"range","min":"<min>","minInclusive":true,"max":"<max>","maxInclusive":false,"notes":"osv:GHI-2025-0001"}] so storage merges align with GHSA parity tests. |
| Alias consolidation (GHSA/CVE) | BE-Merge | Merge | DONE – OSV advisory records now emit GHSA/CVE aliases captured by alias graph tests. |
| Tests: snapshot per ecosystem | QA | Tests | DONE – deterministic snapshots added for npm and PyPI advisories. |
| Cursor persistence and hash gating | BE-Conn-OSV | Storage.Mongo | DONE – OsvCursor tracks per-ecosystem metadata and SHA gating. |
| Parity checks vs GHSA data | QA | Merge | DONE – OsvGhsaParityRegressionTests keep OSV ↔ GHSA fixtures green; regeneration workflow documented in docs/19_TEST_SUITE_OVERVIEW.md. |
| Connector DI routine & job registration | BE-Conn-OSV | Core | DONE – DI routine registers fetch/parse/map jobs with scheduler. |
| Implement OSV fetch/parse/map skeleton | BE-Conn-OSV | Source.Common | DONE – connector now persists documents, DTOs, and canonical advisories. |
| FEEDCONN-OSV-02-004 OSV references & credits alignment | BE-Conn-OSV | Models FEEDMODELS-SCHEMA-01-002 |
DONE (2025-10-11) – Mapper normalizes references with provenance masks, emits advisory credits, and regression fixtures/assertions cover the new fields. |
| FEEDCONN-OSV-02-005 Fixture updater workflow | BE-Conn-OSV, QA | Docs | DONE (2025-10-12) – Canonical PURL derivation now covers Go + scoped npm advisories without upstream purl; legacy invalid npm names still fall back to ecosystem:name. OSV/GHSA/NVD suites and normalization/storage tests rerun clean. |
| FEEDCONN-OSV-02-003 Normalized versions rollout | BE-Conn-OSV | Models FEEDMODELS-SCHEMA-01-003, Normalization playbook |
DONE (2025-10-11) – OsvMapper now emits SemVer primitives + normalized rules with osv:{ecosystem}:{advisoryId}:{identifier} notes; npm/PyPI/Parity fixtures refreshed; merge coordination pinged (OSV handoff). |
| FEEDCONN-OSV-04-003 Parity fixture refresh | QA, BE-Conn-OSV | Normalized versions rollout, GHSA parity tests | DONE (2025-10-12) – Parity fixtures include normalizedVersions notes (osv:<ecosystem>:<id>:<purl>); regression math rerun via dotnet test src/StellaOps.Feedser.Source.Osv.Tests and docs flagged for workflow sync. |
| FEEDCONN-OSV-04-002 Conflict regression fixtures | BE-Conn-OSV, QA | Merge FEEDMERGE-ENGINE-04-001 |
DONE (2025-10-12) – Added conflict-osv.canonical.json + regression asserting SemVer range + CVSS medium severity; dataset matches GHSA/NVD fixtures for merge tests. Validation: dotnet test src/StellaOps.Feedser.Source.Osv.Tests/StellaOps.Feedser.Source.Osv.Tests.csproj --filter OsvConflictFixtureTests. |