stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
199aaf74d879d22d78a872ea93cb4849a82a0760
git.stella-ops.org/docs/product-advisories/31-Nov-2025 FINDINGS.md
StellaOps Bot 53508ceccb
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add unit tests and logging infrastructure for InMemory and RabbitMQ transports 
- Implemented RecordingLogger and RecordingLoggerFactory for capturing log entries in tests.
- Added unit tests for InMemoryChannel, covering constructor behavior, property assignments, channel communication, and disposal.
- Created InMemoryTransportOptionsTests to validate default values and customizable options for InMemory transport.
- Developed RabbitMqFrameProtocolTests to ensure correct parsing and property creation for RabbitMQ frames.
- Added RabbitMqTransportOptionsTests to verify default settings and customization options for RabbitMQ transport.
- Updated project files for testing libraries and dependencies.
2025-12-05 09:38:45 +02:00

18 KiB
Raw Blame History

31-Nov-2025 FINDINGS (Gap Consolidation)

Purpose

This advisory consolidates late-November gap findings across Scanner, SBOM/VEX spine, competitor ingest, and other cross-cutting areas. It enumerates remediation tracks referenced by multiple sprints (for example SPRINT_0186_0001_0001_record_deterministic_execution.md) so implementation teams can scope work without waiting on scattered notes.

Scope & Status

  • Created: 2025-12-02 (retroactive to 2025-11-30 findings review)
  • Applies to: Scanner, Sbomer, Policy/Authority, CLI/UI, Observability, Offline/Release
  • Priority sets included: SC1SC10 (Scanner), SP1SP10 (SBOM/VEX spine), CM1CM10 (Competitor ingest). Other gap families remain to be catalogued; see "Pending families" below.

SC (Scanner Blueprint) Gaps — SC1SC10

  1. SC1 — Standards convergence roadmap: Land coordinated adoption of CVSS v4.0, CycloneDX 1.7 (incl. CBOM), and SLSA 1.2 in scanner outputs and docs.
  2. SC2 — CDX 1.7 + CBOM exports: Produce deterministic CycloneDX 1.7 with CBOM sections and embedded evidence citations.
  3. SC3 — SLSA Source Track capture: Capture source-trace fields (build provenance, source repo refs, build-id) in replay bundles.
  4. SC4 — Compatibility adapters: Provide downgrade adapters (CVSS v4→v3.1, CDX 1.7→1.6, SLSA 1.2→1.0) with deterministic mapping tables.
  5. SC5 — Determinism CI for new formats: Add CI checks/harnesses ensuring stable ordering/hashes for new schemas.
  6. SC6 — Binary/source evidence alignment: Align binary evidence (build-id, symbols, patch oracle) with source SBOM/VEX outputs.
  7. SC7 — API/UI surfacing: Expose the new metadata in surface API and console (filters, columns, download endpoints).
  8. SC8 — Baseline fixtures: Curate fixture set covering v4 scoring, CBOM, SLSA 1.2, and evidence chips for regression.
  9. SC9 — Governance/approvals: Define review gates/approvers for schema bumps and downgrade mappings.
  10. SC10 — Offline-kit parity: Ensure offline kits ship frozen schemas, mappings, and fixtures for the above.

SP (SBOM/VEX Spine) Gaps — SP1SP10

  1. SP1 — Versioned API/DTO schemas: Introduce versioned SBOM/VEX spine schemas with explicit migration rules.
  2. SP2 — Predicate/edge evidence requirements: Mandate evidence fields per predicate/edge (e.g., reachability proof, package identity, build metadata).
  3. SP3 — Unknowns workflow contract: Define lifecycle/SLA for Unknowns registry entries and their surfacing in spine APIs.
  4. SP4 — DSSE-signed bundle manifest: Require DSSE-signed manifest including hash listings for every spine artifact.
  5. SP5 — Deterministic diff rules/fixtures: Specify canonical diff rules and fixtures for SBOM/VEX deltas.
  6. SP6 — Feed snapshot freeze/staleness: Codify snapshot/policy freshness guarantees and staleness thresholds.
  7. SP7 — Mandated DSSE per stage: Enforce DSSE signatures per processing stage with Rekor/mirror policies (online/offline).
  8. SP8 — Policy lattice versioning: Version the policy lattice and embed version refs into spine objects.
  9. SP9 — Performance/pagination limits: Set deterministic pagination/ordering and perf budgets for API queries.
  10. SP10 — Crosswalk mappings: Provide crosswalk between SBOM/VEX/graph/policy outputs for auditors and tooling.

CM (Competitor Ingest) Gaps — CM1CM10

  1. CM1 — Normalization adapters: Harden ingest adapters for Syft/Trivy/Clair (SBOM + vuln scan) into StellaOps schemas.
  2. CM2 — Signature/provenance verification: Verify external SBOM/scan signatures and provenance before acceptance; reject/flag unverifiable payloads.
  3. CM3 — Snapshot governance: Enforce DB snapshot versioning, freshness SLAs, and rollback plans for imported feeds.
  4. CM4 — Anomaly regression tests: Add regression tests for known ingest anomalies (schema drift, nullables, encoding, ordering).
  5. CM5 — Offline ingest kits: Provide offline kits with DSSE-signed adapters, mappings, and fixtures for external SBOM/scan imports.
  6. CM6 — Fallback rules: Define fallback hierarchy when external data is incomplete (prefer signed SBOM → unsigned SBOM → scan results → policy defaults).
  7. CM7 — Source transparency: Persist source tool/version/hash metadata and expose it in APIs/exports.
  8. CM8 — Benchmark parity: Maintain benchmark parity with upstream tool baselines (version-pinned, hash-logged runs).
  9. CM9 — Ecosystem coverage: Track coverage per ecosystem (container, Java, Python, .NET, Go, OS packages) and gaps for ingest support.
  10. CM10 — Error resilience & retries: Standardize retry/backoff/error classification for ingest pipeline; surface diagnostics deterministically.

OK (Offline Kit) Gaps — OK1OK10

  1. OK1 — Key manifest + PQ co-sign: Record key IDs and PQ dual-sign toggle in bundle meta; rotate keys ≤90 days. Evidence: out/mirror/thin/mirror-thin-v1.bundle.json (chain_of_custody.keyid) and layers/offline-kit-policy.json.
  2. OK2 — Tool hashing/signing: Hash build/sign/verify tools and pin them in bundle meta (tooling.*); DSSE envelopes cover manifest + bundle meta.
  3. OK3 — DSSE top-level manifest: Ship DSSE for bundle meta (mirror-thin-v1.bundle.dsse.json) linking manifest, tarball, policies, and optional OCI layout.
  4. OK4 — Checkpoint freshness + mirror metadata: Enforce checkpoint_freshness_seconds and timestamped created in bundle meta; require checkpoints in transport-plan.json.
  5. OK5 — Deterministic packaging flags: Capture tar/gzip flags in layers/offline-kit-policy.json and verify via scripts/mirror/verify_thin_bundle.py determinism checks.
  6. OK6 — Scan/VEX/policy/graph hashes: Include layers/artifact-hashes.json with digests for scan/vex/policy/graph fixtures and reference from bundle meta.
  7. OK7 — Time anchor bundling: Embed layers/time-anchor.json digest in bundle meta and surface trust-root path for AIRGAP-TIME.
  8. OK8 — Transport/chunking + chain-of-custody: Define chunk sizing, retry policy, and signed chain-of-custody in layers/transport-plan.json (includes build/sign digests + keyid).
  9. OK9 — Tenant/environment scoping: Require tenant/environment fields in bundle meta; verifier enforces via --tenant/--environment flags.
  10. OK10 — Scripted verify + negative paths: scripts/mirror/verify_thin_bundle.py validates required layers, DSSE, sidecars, tool hashes, and scope; fails fast on missing/stale artefacts.

RK (Rekor) Gaps — RK1RK10

  1. RK1 — DSSE/hashedrekord only: layers/rekor-policy.json sets rk1_enforceDsse=true and routes both public/private to hashedrekord.
  2. RK2 — Payload size preflight + chunks: rk2_payloadMaxBytes=1048576 with chunking guidance in transport-plan.json.
  3. RK3 — Public/private routing policy: Explicit routing map (rk3_routing) for shard-aware submission.
  4. RK4 — Shard-aware checkpoints: rk4_shardCheckpoint="per-tenant-per-day" plus checkpoint freshness from bundle meta.
  5. RK5 — Idempotent submission keys: rk5_idempotentKeys=true to prevent duplicate entries.
  6. RK6 — Sigstore bundles in kits: rk6_sigstoreBundleIncluded=true; bundle meta lists DSSE artefacts for offline kits.
  7. RK7 — Checkpoint freshness bounds: rk7_checkpointFreshnessSeconds mirrors bundle freshness budget.
  8. RK8 — PQ dual-sign options: rk8_pqDualSign mirrors PQ toggle (env PQ_CO_SIGN_REQUIRED).
  9. RK9 — Error taxonomy/backoff: Enumerated in rk9_errorTaxonomy and retried per transport-plan.json retry policy.
  10. RK10 — Policy/graph annotations: rk10_annotations require policy + graph context inside DSSE/bundle records.

MS (Mirror Strategy) Gaps — MS1MS10

  1. MS1 — Signed/versioned mirror schemas: layers/mirror-policy.json tracks schemaVersion + semver; DSSE of bundle meta ties schema to artefacts.
  2. MS2 — DSSE/TUF rotation policy (incl. PQ): dsseTufRotationDays=30 and pqDualSign toggle documented in mirror policy and bundle meta.
  3. MS3 — Delta spec with tombstones/base hash: Mirror policy delta enforces tombstones and base-hash requirements for deltas.
  4. MS4 — Time-anchor freshness enforcement: timeAnchorFreshnessSeconds plus bundled time-anchor.json digest.
  5. MS5 — Tenant/env scoping: Tenant/environment fields required in bundle meta; verifier flags mismatches.
  6. MS6 — Distribution integrity (HTTP/OCI/object): distributionIntegrity enumerates integrity strategies for each transport.
  7. MS7 — Chunking/size rules: chunking.sizeBytes + maxChunks pinned in mirror policy and reflected in transport plan.
  8. MS8 — Standard verify script: verifyScript references scripts/mirror/verify_thin_bundle.py; bundle meta recorded in DSSE envelope.
  9. MS9 — Metrics/alerts: Mirror policy metrics marks build/import/verify signals required for observability.
  10. MS10 — SemVer/change log: changelog block declares current format version; future bumps must be appended with deterministic notes.

NR (Notify Runtime) Gaps — NR1NR10

  1. NR1 — Signed, versioned schema catalog: Publish JSON Schemas for event envelopes, rules, templates, channels, receipts, and webhooks with explicit schema_version and tenant fields; ship a DSSE-signed catalog (docs/notifications/schemas/notify-schemas-catalog.json + .dsse.json) and canonical hash recipe (BLAKE3-256 over normalized JSON). Evidence: catalog + DSSE, inputs.lock with schema digests.
  2. NR2 — Tenant scoping & approvals: Require tenant ID on all Notify APIs, channels, and ack receipts; enforce per-tenant RBAC/approvals for high-impact rules (escalations, PII, cross-tenant fan-out); document rejection reasons. Evidence: RBAC/approval matrix + conformance tests.
  3. NR3 — Deterministic rendering & localization: Rendering must be deterministic across locales/time zones: stable merge-field ordering, UTC ISO-8601 timestamps with fixed format, locale whitelist, deterministic preview output hashed in ledger; golden fixtures for each channel/template. Evidence: rendering fixture set + hash expectations.
  4. NR4 — Quotas, backpressure, DLQ: Per-tenant/channel quotas, burst budgets, and backpressure rules applied before enqueue; DLQ schema with redrive semantics and idempotent keys; require metrics/alerts for queue depth and DLQ growth. Evidence: quota policy doc + DLQ schema + redrive test harness.
  5. NR5 — Retry & idempotency policy: Canonical delivery_id (UUIDv7) + dedupe key per event×rule×channel; exponential backoff with jitter + max attempts; connectors must be idempotent; ensure out-of-order acks are ignored. Evidence: retry matrix + idempotency conformance tests.
  6. NR6 — Webhook/ack security: Mandatory HMAC with rotated secrets or mTLS/DPoP for webhooks; signed ack URLs/tokens with nonce, expiry, audience, and single-use guarantees; restrict allowed domains/paths per tenant. Evidence: security policy + negative-path tests.
  7. NR7 — Redaction & PII limits: Classify template fields, require redaction of secrets/PII in stored payloads/logs, hash-sensitive values, and enforce size/field allowlists; previews/logs must default to redacted variants. Evidence: redaction catalog + fixtures demonstrating sanitized storage and previews.
  8. NR8 — Observability SLO alerts: Define SLOs for delivery latency, success rate, backlog, DLQ age; standard metrics (notify_delivery_success_total, notify_backlog_depth, etc.) with alert thresholds and runbooks; traces carry tenant/rule/channel IDs with sampling rules. Evidence: dashboard JSON + alert rules + trace exemplar IDs.
  9. NR9 — Offline notify-kit with DSSE: Produce offline kit containing schemas, rules/templates, connector configs, verify script, and DSSE-signed manifest; include hash list and time-anchor hook; support deterministic packaging flags and tenant/env scoping. Evidence: kit manifest + DSSE + verify_notify_kit.sh script.
  10. NR10 — Mandatory simulations & evidence: Rules/templates must pass simulation/dry-run against frozen fixtures before activation; store DSSE-signed simulation results and attach evidence to change approvals; require regression tests for each high-impact rule change. Evidence: simulation report + DSSE + golden fixtures and TRX/NDJSON outputs.

TP (Task Pack) Gaps — TP1TP10

  1. TP1 — Canonical schemas + plan-hash recipe: Freeze pack manifest canonicalization (sorted JSON, UTF-8, no insignificant whitespace) and compute plan.hash as sha256 over plan.canonicalPlanPath. Evidence: docs/task-packs/packs-offline-bundle.schema.json, fixtures hashed by scripts/packs/verify_offline_bundle.py.
  2. TP2 — Inputs lock evidence: Every pack run must emit inputs.lock containing resolved inputs, secret placeholders, and digests; stored and hashed in offline bundle hashes[]. Evidence: offline bundle manifest + deterministic hash list.
  3. TP3 — Approval RBAC/DSSE records: Approval decisions are recorded as DSSE ledgers (evidence.approvalsLedger) with Authority claims pack_run_id, pack_gate_id, pack_plan_hash, and tenant context; Task Runner rejects approvals lacking matching plan hash. Evidence: approvals DSSE + ledger hash.
  4. TP4 — Secret redaction policy: Bundle includes security.secretsRedactionPolicy describing hashing/redaction of secrets; transcripts and evidence bundles store only redacted forms. Evidence: policy doc referenced in bundle manifest + redaction fixtures.
  5. TP5 — Deterministic ordering/RNG/time: Execution order, RNG seed (plan.rngSeed derived from plan hash), and timestamps (UTC ISO-8601) are fixed; logs are strictly sequenced. Evidence: canonical plan + deterministic log fixtures.
  6. TP6 — Sandbox/egress limits + quotas: Offline bundle declares sandbox mode (sealed/restricted), explicit egressAllowlist, CPU/memory quotas, and optional quotaSeconds; Task Runner fails if absent. Evidence: sandbox block in manifest + enforcement tests.
  7. TP7 — Pack registry signing + SBOM + revocation: Registry entries ship DSSE envelopes for bundle + attestation, pack SBOM path (pack.sbom), and a revocation list path (security.revocations) enforced during import. Evidence: registry record with SBOM digest + revocation list referenced in manifest.
  8. TP8 — Offline pack-bundle schema + verify script: Offline bundles must conform to packs-offline-bundle.schema.json and pass scripts/packs/verify_offline_bundle.py --bundle <tarball> --require-dsse. Evidence: successful verify run + manifest hash list.
  9. TP9 — Run/approval SLOs + alerting: Bundle declares SLOs (slo.runP95Seconds, slo.approvalP95Seconds, slo.maxQueueDepth) with alert rules referenced in slo.alertRules; observability must surface breaches. Evidence: alert rule file + metrics fixtures.
  10. TP10 — Gate fail-closed defaults: Approval/policy/timeline gates default to fail-closed when evidence, DSSE, or quotas are missing/expired; Task Runner aborts with remediation hint. Evidence: negative-path fixtures showing fail-closed behavior.

Pending Families (to be expanded)

The following gap families were referenced in November indices and still need detailed findings written out:

  • CV1CV10 (CVSS v4 receipts), CVM1CVM10 (momentum), FC1FC10 (SCA fixture gaps), OB1OB10 (onboarding), IG1IG10 (implementor guidance), RR1RR10 (Rekor receipts), SK1SK10 (standups), MI1MI10 (UI micro-interactions), PVX1PVX10 (Proof-linked VEX UI), TTE1TTE10 (Time-to-Evidence), AR-EP1…AR-VB1 (archived advisories revival), BP1BP10 (SBOM→VEX proof pipeline), UT1UT10 (unknown heuristics), CE1CE10 (evidence patterns), ET1ET10 (ecosystem fixtures), RB1RB10 (reachability fixtures), G1G12 / RD1RD10 (reachability benchmark/dataset), UN1UN10 (unknowns registry), U1U10 (decay), EX1EX10 (explainability), VEX1VEX10 (VEX claims), BR1BR10 (binary reachability), VT1VT10 (triage), PL1PL10 (plugin arch), EB1EB10 (evidence baseline), EC1EC10 (export center), AT1AT10 (automation), OK1OK10 / RK1RK10 / MS1MS10 (offline/mirror/Rekor kits), AU1AU10 (auth), CL1CL10 (CLI), OR1OR10 (orchestrator), ZR1ZR10 (Zastava), NR1NR10 (Notify), GA1GA10 (graph analytics), TO1TO10 (telemetry), PS1PS10 (policy), FL1FL10 (ledger), CI1CI10 (Concelier ingest).
  • CV1CV10 (CVSS v4 receipts), CVM1CVM10 (momentum), FC1FC10 (SCA fixture gaps), OB1OB10 (onboarding), IG1IG10 (implementor guidance), RR1RR10 (Rekor receipts), SK1SK10 (standups), MI1MI10 (UI micro-interactions), PVX1PVX10 (Proof-linked VEX UI), TTE1TTE10 (Time-to-Evidence), AR-EP1…AR-VB1 (archived advisories revival), BP1BP10 (SBOM→VEX proof pipeline), UT1UT10 (unknown heuristics), CE1CE10 (evidence patterns), ET1ET10 (ecosystem fixtures), RB1RB10 (reachability fixtures), G1G12 / RD1RD10 (reachability benchmark/dataset), UN1UN10 (unknowns registry), U1U10 (decay), EX1EX10 (explainability), VEX1VEX10 (VEX claims), BR1BR10 (binary reachability), VT1VT10 (triage), PL1PL10 (plugin arch), EB1EB10 (evidence baseline), EC1EC10 (export center), AT1AT10 (automation), OK1OK10 / RK1RK10 / MS1MS10 (offline/mirror/Rekor kits), AU1AU10 (auth), CL1CL10 (CLI), OR1OR10 (orchestrator), ZR1ZR10 (Zastava), GA1GA10 (graph analytics), TO1TO10 (telemetry), PS1PS10 (policy), FL1FL10 (ledger), CI1CI10 (Concelier ingest).

Each pending family should be expanded in this document (or split into dedicated, linked supplements) with numbered findings, recommended evidence, and deterministic test/fixture expectations.

Decision Trace

  • This document was created to satisfy sprint and index references to “31-Nov-2025 FINDINGS.md” and unblock gap-remediation tasks across Scanner/SBOM/VEX and ingest tracks.