4.8 KiB
4.8 KiB
TASKS
| Task | Owner(s) | Depends on | Notes |
|---|---|---|---|
| Select GHSA data source & auth model | BE-Conn-GHSA | Research | DONE (2025-10-10) – Adopted GitHub Security Advisories REST (global) endpoint with bearer token + API version headers documented in GhsaOptions. |
| Fetch pipeline & state management | BE-Conn-GHSA | Source.Common, Storage.Mongo | DONE (2025-10-10) – Implemented list/detail fetch using GhsaCursor (time window + page), resumable SourceState and backoff controls. |
| DTO & parser implementation | BE-Conn-GHSA | Source.Common | DONE (2025-10-10) – Added GhsaRecordParser/DTOs extracting aliases, references, severity, vulnerable ranges, patched versions. |
| Canonical mapping & range primitives | BE-Conn-GHSA | Models | DONE (2025-10-10) – GhsaMapper emits GHSA advisories with SemVer packages, vendor extensions (ecosystem/package) and deterministic references.2025-10-11 research trail: upcoming normalized array should follow [{"scheme":"semver","type":"range","min":"<min>","minInclusive":true,"max":"<max>","maxInclusive":false,"notes":"ghsa:GHSA-xxxx"}]; include patched-only advisories as lt/lte when no explicit floor. |
| Deterministic fixtures & tests | QA | Testing | DONE (2025-10-10) – New StellaOps.Concelier.Connector.Ghsa.Tests regression covers fetch/parse/map via canned GHSA fixtures and snapshot assertions. |
| Telemetry & documentation | DevEx | Docs | DONE (2025-10-10) – Diagnostics meter (ghsa.fetch.*) wired; DI extension documents token/headers and job registrations. |
| GitHub quota monitoring & retries | BE-Conn-GHSA, Observability | Source.Common | DONE (2025-10-12) – Rate-limit metrics/logs added, retry/backoff handles 403 secondary limits, and ops runbook documents dashboards + mitigation steps. |
| Production credential & scheduler rollout | Ops, BE-Conn-GHSA | Docs, WebService | DONE (2025-10-12) – Scheduler defaults registered via JobSchedulerBuilder, credential provisioning documented (Compose/Helm samples), and staged backfill guidance captured in docs/ops/concelier-ghsa-operations.md. |
| FEEDCONN-GHSA-04-002 Conflict regression fixtures | BE-Conn-GHSA, QA | Merge FEEDMERGE-ENGINE-04-001 |
DONE (2025-10-12) – Added conflict-ghsa.canonical.json + GhsaConflictFixtureTests; SemVer ranges and credits align with merge precedence triple and shareable with QA. Validation: dotnet test src/StellaOps.Concelier.Connector.Ghsa.Tests/StellaOps.Concelier.Connector.Ghsa.Tests.csproj --filter GhsaConflictFixtureTests. |
| FEEDCONN-GHSA-02-004 GHSA credits & ecosystem severity mapping | BE-Conn-GHSA | Models FEEDMODELS-SCHEMA-01-002 |
DONE (2025-10-11) – Mapper emits advisory credits with provenance masks, fixtures assert role/contact ordering, and severity normalization remains unchanged. |
| FEEDCONN-GHSA-02-007 Credit parity regression fixtures | BE-Conn-GHSA, QA | Source.Nvd, Source.Osv | DONE (2025-10-12) – Parity fixtures regenerated via tools/FixtureUpdater, normalized SemVer notes verified against GHSA/NVD/OSV snapshots, and the fixtures guide now documents the headroom checks. |
| FEEDCONN-GHSA-02-001 Normalized versions rollout | BE-Conn-GHSA | Models FEEDMODELS-SCHEMA-01-003, Normalization playbook |
DONE (2025-10-11) – GHSA mapper now emits SemVer primitives + normalized ranges, fixtures refreshed, connector tests passing; report logged via FEEDMERGE-COORD-02-900. |
| FEEDCONN-GHSA-02-005 Quota monitoring hardening | BE-Conn-GHSA, Observability | Source.Common metrics | DONE (2025-10-12) – Diagnostics expose headroom histograms/gauges, warning logs dedupe below the configured threshold, and the ops runbook gained alerting and mitigation guidance. |
| FEEDCONN-GHSA-02-006 Scheduler rollout integration | BE-Conn-GHSA, Ops | Job scheduler | DONE (2025-10-12) – Dependency routine tests assert cron/timeouts, and the runbook highlights cron overrides plus backoff toggles for staged rollouts. |
| FEEDCONN-GHSA-04-003 Description/CWE/metric parity rollout | BE-Conn-GHSA | Models, Core | DONE (2025-10-15) – Mapper emits advisory description, CWE weaknesses, and canonical CVSS metric id with updated fixtures (osv-ghsa.osv.json parity suite) and connector regression covers the new fields. Reported completion to Merge coordination. |
| FEEDCONN-GHSA-04-004 Canonical metric fallback coverage | BE-Conn-GHSA | Models, Merge | DONE (2025-10-16) – Ensure canonical metric ids remain populated when GitHub omits CVSS vectors/scores; add fixtures capturing severity-only advisories, document precedence with Merge, and emit analytics to track fallback usage. 2025-10-16: Mapper now emits ghsa:severity/<level> canonical ids when vectors are missing, diagnostics expose ghsa.map.canonical_metric_fallbacks, conflict/mapper fixtures updated, and runbook documents Merge precedence. Tests: dotnet test src/StellaOps.Concelier.Connector.Ghsa.Tests/StellaOps.Concelier.Connector.Ghsa.Tests.csproj. |