stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
3aed135fb5e5791efcbe3399084e5e88f1ad0083
git.stella-ops.org/TODOS.md
Vladimir Moushkov d0c95cf328
Some checks failed
Build Test Deploy / build-test (push) Has been cancelled
Details
Build Test Deploy / docs (push) Has been cancelled
Details
Build Test Deploy / deploy (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
UP
2025-10-09 18:59:17 +03:00

3.3 KiB
Raw Blame History

Pending Task Backlog

Last updated: 2025-10-09 (UTC)

Common

  • Build/test sweeps (QA DOING)
    Full solution runs still fail the StellaOps.Feedser.Storage.Mongo.Tests/AdvisoryStorePerformanceTests budget. We need either to optimise the hot paths in AdvisoryStore for large advisory payloads or relax the perf thresholds with new baseline data. Once the bottleneck is addressed, rerun the full suite and capture metrics for the release checklist.

  • OSV vs GHSA parity checks (QA & BE-Merge TODO)
    Design and implement a diff detector comparing OSV advisories against GHSA records. The deliverable should flag mismatched aliases, missing affected ranges, or divergent severities, surface actionable telemetry/alerts, and include regression tests with canned OSV+GHSA fixtures.

Prerequisites

  • Range primitives for SemVer/EVR/NEVRA metadata (BE-Merge DOING)
    The core model supports range primitives, but several connectors (notably Apple, remaining vendor feeds, and older distro paths) still emit raw strings. We must extend those mappers to populate the structured envelopes (SemVer/EVR/NEVRA plus vendor extensions) and add fixture coverage so merge/export layers see consistent telemetry.

  • Provenance envelope field masks (BE-Merge DOING)
    Provenance needs richer categorisation (component category, severity bands, resume counters) and better dedupe metrics. Update the provenance model, extend diagnostics to emit the new tags, and refresh dashboards/tests to ensure determinism once additional metadata flows through.

Implementations

  • Model provenance & range backlog (BE-Merge DOING)
    With Adobe/Ubuntu now emitting range primitives, focus on the remaining connectors (e.g., Apple, smaller vendor PSIRTs). Update their pipelines, regenerate goldens, and confirm feedser.range.primitives metrics reflect the added telemetry. The task closes when every high-priority source produces structured ranges with provenance.

  • Trivy DB exporter delta strategy (BE-Export TODO)
    Finalise the delta-reset story in ExportStateManager: define when to invalidate baselines, how to reuse unchanged layers, and document operator workflows. Implement planner logic for layer reuse, update exporter tests, and exercise a delta→full→delta sequence.

  • Red Hat fixture validation sweep (QA DOING)
    Regenerate RHSA fixtures with the latest connector output and make sure the regenerated snapshots align once the outstanding connector tweaks land. Blockers: connector regression fixes still in-flight; revisit once those merges stabilise to avoid churn.

  • Plan incremental/delta exports (BE-Export DOING)
    TrivyDbExportPlanner now captures changed files but does not yet reuse existing OCI layers. Extend the planner to build per-file manifests, teach the writer to skip untouched layers, and add delta-cycle tests covering file removals, additions, and checksum changes.

  • Scan execution & result upload workflow (DevEx/CLI & Ops Integrator DOING)
    stella scan run/stella scan upload need completion: support the remaining executor backends (dotnet/self-hosted/docker), capture structured run metadata, implement retry/backoff on uploads, and add integration tests exercising happy-path and failure retries. Update CLI docs once the workflow is stable.