37 lines
3.3 KiB
Markdown
37 lines
3.3 KiB
Markdown
# Pending Task Backlog
|
||
|
||
> Last updated: 2025-10-09 (UTC)
|
||
|
||
## Common
|
||
|
||
- **Build/test sweeps (QA – DOING)**
|
||
Full solution runs still fail the `StellaOps.Feedser.Storage.Mongo.Tests/AdvisoryStorePerformanceTests` budget. We need either to optimise the hot paths in `AdvisoryStore` for large advisory payloads or relax the perf thresholds with new baseline data. Once the bottleneck is addressed, rerun the full suite and capture metrics for the release checklist.
|
||
|
||
- **OSV vs GHSA parity checks (QA & BE-Merge – TODO)**
|
||
Design and implement a diff detector comparing OSV advisories against GHSA records. The deliverable should flag mismatched aliases, missing affected ranges, or divergent severities, surface actionable telemetry/alerts, and include regression tests with canned OSV+GHSA fixtures.
|
||
|
||
## Prerequisites
|
||
|
||
- **Range primitives for SemVer/EVR/NEVRA metadata (BE-Merge – DOING)**
|
||
The core model supports range primitives, but several connectors (notably Apple, remaining vendor feeds, and older distro paths) still emit raw strings. We must extend those mappers to populate the structured envelopes (SemVer/EVR/NEVRA plus vendor extensions) and add fixture coverage so merge/export layers see consistent telemetry.
|
||
|
||
- **Provenance envelope field masks (BE-Merge – DOING)**
|
||
Provenance needs richer categorisation (component category, severity bands, resume counters) and better dedupe metrics. Update the provenance model, extend diagnostics to emit the new tags, and refresh dashboards/tests to ensure determinism once additional metadata flows through.
|
||
|
||
## Implementations
|
||
|
||
- **Model provenance & range backlog (BE-Merge – DOING)**
|
||
With Adobe/Ubuntu now emitting range primitives, focus on the remaining connectors (e.g., Apple, smaller vendor PSIRTs). Update their pipelines, regenerate goldens, and confirm `feedser.range.primitives` metrics reflect the added telemetry. The task closes when every high-priority source produces structured ranges with provenance.
|
||
|
||
- **Trivy DB exporter delta strategy (BE-Export – TODO)**
|
||
Finalise the delta-reset story in `ExportStateManager`: define when to invalidate baselines, how to reuse unchanged layers, and document operator workflows. Implement planner logic for layer reuse, update exporter tests, and exercise a delta→full→delta sequence.
|
||
|
||
- **Red Hat fixture validation sweep (QA – DOING)**
|
||
Regenerate RHSA fixtures with the latest connector output and make sure the regenerated snapshots align once the outstanding connector tweaks land. Blockers: connector regression fixes still in-flight; revisit once those merges stabilise to avoid churn.
|
||
|
||
- **Plan incremental/delta exports (BE-Export – DOING)**
|
||
`TrivyDbExportPlanner` now captures changed files but does not yet reuse existing OCI layers. Extend the planner to build per-file manifests, teach the writer to skip untouched layers, and add delta-cycle tests covering file removals, additions, and checksum changes.
|
||
|
||
- **Scan execution & result upload workflow (DevEx/CLI & Ops Integrator – DOING)**
|
||
`stella scan run`/`stella scan upload` need completion: support the remaining executor backends (dotnet/self-hosted/docker), capture structured run metadata, implement retry/backoff on uploads, and add integration tests exercising happy-path and failure retries. Update CLI docs once the workflow is stable.
|