stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
40e7f827da764e39ca67fc27a74813a98e9a38d2
git.stella-ops.org/docs/benchmarks/scanner/deep-dives/macos.md
master b1e78fe412
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Implement vulnerability token signing and verification utilities 
- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys.
- Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries.
- Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads.
- Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options.
- Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads.
- Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features.
- Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.
2025-11-03 10:04:10 +02:00

4.3 KiB
Raw Blame History

macOS Package Ecosystem — Coverage Deep Dive

Competitor snapshot

  • Trivy: Official coverage tables list only Linux distributions (Alpine/Wolfi, Debian/Ubuntu, RHEL family, SUSE, Photon, Amazon, Bottlerocket). No analyzer exists for Homebrew, Mac App Store receipts, or .app bundles.
  • Grype: Mirrors Syft catalogers that target Linux package managers; no matchers for Homebrew formulae, pkgutil receipts, or macOS frameworks.
  • Snyk CLI: Container and open-source scans are routed through the SaaS backend; macOS host package analysis is not advertised or documented.

Proposed StellaOps roadmap

See also: ../../modules/scanner/design/macos-analyzer.md for the in-depth design brief.

  1. Homebrew cellar collector
    • Parse /usr/local/Cellar and /opt/homebrew/Cellar manifest files plus taps metadata to enumerate installed formulae/casks.
    • Normalize tap origin, version, revision, and bottle source; map to pkg:brew/{tap}/{name}@{version} PURLs.
  2. System receipt inventory
    • Use pkgutil --pkgs --pkg-info-plist style parsing against /var/db/receipts/*.bom to capture Apple installer packages and third-party pkg receipts.
    • Record CFBundleIdentifier, install timestamps, and BOM file hashes to feed deterministic provenance.
  3. Application bundle inspection
    • Scan /Applications, /System/Applications, and /Users/*/Applications for .app bundles.
    • Extract Info.plist data (bundle id/version), embedded frameworks, entitlements, and code signing certificates.
  4. Policy alignment
    • Emit capability hints (network, TCC categories) for Policy Engine gating.
    • Provide allow lists for signed Apple system components versus third-party apps.
  5. Offline parity
    • Mirror Homebrew tap metadata snapshots and entitlements schema inside Offline Kit.
    • Package notarization certificate bundles and CRL/OCSP cache guidance for air-gapped verification.

Detection technique comparison

Technique Artifacts Merge strategy Notes
Homebrew cellar parsing Cellar manifests, INSTALL_RECEIPT.json, tap metadata Produce per-formula component records keyed by tap + version; merge duplicates by canonical tap origin; attach bottle SHA256 for provenance. Requires tap snapshot to ensure deterministic version resolution.
pkgutil receipt parsing /var/db/receipts/*.plist + .bom files Build component entries for Apple/third-party installer packages; merge with bundle evidence when matching CFBundleIdentifier. Provides authoritative install-time metadata including install source.
.app bundle inspection Info.plist, CodeResources, entitlements, embedded frameworks Emit capability records (e.g., tcc.camera, network.client); merge with receipts when bundle id matches. Must preserve signing chain and team identifier; store hash of CodeDirectory.
Launch daemon/service mapping /Library/LaunchDaemons, /Library/LaunchAgents, launchctl print exports (Planned) Attach runtime usage hints for Policy Engine and EntryTrace cross-module alignment. Helps differentiate dormant apps from active services.
Competitor baseline No competitor evidence to merge; Trivy/Grype/Snyk lack macOS analyzers. Presents differentiation opportunity once demand justifies investment.

Backlog / coordination

  • Keep demand capture in docs/benchmarks/scanner/windows-macos-demand.md up to date; once thresholds are met, open:
    • SCANNER-ENG-00xx (macOS cellar/receipt analyzer design spike).
    • DOCS-SCANNER-BENCH-62-002 (this docs parent task) — exit criteria: demand summary + design scope recommendation.
    • Policy task to define macOS capability predicates (entitlements, notarization state).
  • Align with Offline Kit guild on notarization/CRL packaging and tap mirroring strategy.

Open design questions

Topic Question Owner
Notarization verification Should scanner verify Apple notarization tickets or delegate to Policy Engine? Security Guild
Entitlement taxonomy How granular should capability predicates be (per entitlement vs grouped categories)? Policy Guild
User-space scope Do we scan per-user Homebrew installs and sandboxed app containers? Scanner Guild
Performance Do we cache receipts/bundle metadata between scans given large .app trees? Scanner + Surface Guilds