stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
491e8836535ab3daa30eff7a77f76f5b00331a74
git.stella-ops.org/docs/04_FEATURE_MATRIX.md
master 491e883653 Add tests for SBOM generation determinism across multiple formats 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-24 00:36:14 +02:00

478 lines
18 KiB
Markdown
Executable File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 4 · Feature Matrix — **Stella Ops**
*(rev 4.0 · 24 Dec 2025)*
> **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.
---
## Pricing Tiers Overview
| Tier | Scans/Day | Registration | Token Refresh | Target User | Price |
|------|-----------|--------------|---------------|-------------|-------|
| **Free** | 33 | None | 12h auto | Individual developer | $0 |
| **Community** | 333 | Required | 30d manual | Startups, small teams (<25) | $0 |
| **Enterprise** | 2,000+ | SSO/Contract | Annual | Organizations (25+), regulated | Contact Sales |
**Key Differences:**
- **Free Community**: Same features, 10× quota, requires registration
- **Community Enterprise**: Compliance, scale, multi-team, support
---
## Competitive Moat Features
*These differentiators are available across all tiers to build brand and adoption.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Signed Replayable Risk Verdicts | | | | Core differentiator |
| Decision Capsules | | | | Audit-grade evidence bundles |
| VEX Decisioning Engine | | | | Trust lattice + conflict resolution |
| Reachability with Portable Proofs | | | | Three-layer analysis |
| Smart-Diff (Semantic Risk Delta) | | | | Material change detection |
| Unknowns as First-Class State | | | | Uncertainty budgets |
| Deterministic Replay | | | | `stella replay srm.yaml` |
---
## SBOM & Ingestion
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Trivy-JSON Ingestion | | | | |
| SPDX-JSON 3.0.1 Ingestion | | | | |
| CycloneDX 1.6/1.7 Ingestion | | | | |
| Auto-format Detection | | | | |
| Delta-SBOM Cache | | | | Warm scans <1s |
| SBOM Generation (all formats) | | | | |
| Semantic SBOM Diff | | | | |
| BYOS (Bring-Your-Own-SBOM) | | | | |
| **SBOM Lineage Ledger** | | | | Full versioned history |
| **SBOM Lineage API** | | | | Traversal queries |
---
## Scanning & Detection
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVE Lookup via Local DB | | | | |
| Licence-Risk Detection | | | | Q4-2025 |
| **Language Analyzers (All 8)** | | | | |
| .NET/C#, Java, Go, Python | | | | |
| Node.js, Ruby, Bun, Native | | | | |
| **Progressive Fidelity Modes** | | | | |
| Quick Mode | | | | |
| Standard Mode | | | | |
| Deep Mode | | | | Full analysis |
| Base Image Detection | | | | |
| Layer-Aware Analysis | | | | |
| **Concurrent Scan Workers** | 1 | 3 | Unlimited | |
---
## Reachability Analysis
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Static Call Graph | | | | |
| Entrypoint Detection | | | | 9+ framework types |
| BFS Reachability | | | | |
| Reachability Drift Detection | | | | |
| Binary Loader Resolution | | | | ELF/PE/Mach-O |
| Feature Flag/Config Gating | | | | Layer 3 analysis |
| Runtime Signal Correlation | | | | Zastava integration |
| Gate Detection (auth/admin) | | | | Enterprise policies |
| Path Witness Generation | | | | Audit evidence |
| Reachability Mini-Map API | | | | UI visualization |
| Runtime Timeline API | | | | Temporal analysis |
---
## Binary Analysis (BinaryIndex)
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Binary Identity Extraction | | | | Build-ID, hashes |
| Build-ID Vulnerability Lookup | | | | |
| Debian/Ubuntu Corpus | | | | |
| RPM/RHEL Corpus | | | | |
| Patch-Aware Backport Detection | | | | |
| PE/Mach-O/ELF Parsers | | | | |
| **Binary Fingerprint Generation** | | | | Advanced detection |
| **Fingerprint Matching Engine** | | | | Similarity search |
| **DWARF/Symbol Analysis** | | | | Debug symbols |
---
## Advisory Sources (Concelier)
| Source | Free | Community | Enterprise | Notes |
|--------|:----:|:---------:|:----------:|-------|
| NVD | | | | |
| GHSA | | | | |
| OSV | | | | |
| Alpine SecDB | | | | |
| Debian Security Tracker | | | | |
| Ubuntu USN | | | | |
| RHEL/CentOS OVAL | | | | |
| KEV (Exploited Vulns) | | | | |
| EPSS v4 | | | | |
| **Custom Advisory Connectors** | | | | Private feeds |
| **Advisory Merge Engine** | | | | Conflict resolution |
---
## VEX Processing (Excititor)
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| OpenVEX Ingestion | | | | |
| CycloneDX VEX Ingestion | | | | |
| CSAF VEX Ingestion | | | | |
| VEX Consensus Resolver | | | | |
| Trust Vector Scoring (P/C/R) | | | | |
| Claim Strength Multipliers | | | | |
| Freshness Decay | | | | |
| **Conflict Detection & Penalty** | | | | K4 lattice logic |
| **VEX Conflict Studio UI** | | | | Visual resolution |
| **Trust Calibration Service** | | | | Org-specific tuning |
| **VEX Hub (Distribution)** | | | | Internal VEX network |
---
## Policy Engine
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| YAML Policy Rules | | | | Basic rules |
| Belnap K4 Four-Valued Logic | | | | |
| Security Atoms (6 types) | | | | |
| Disposition Selection (ECMA-424) | | | | |
| Minimum Confidence Gate | | | | |
| Unknowns Budget Gate | | | | |
| Source Quota Gate | | | | 60% cap enforcement |
| Reachability Requirement Gate | | | | For criticals |
| **OPA/Rego Integration** | | | | Custom policies |
| **Exception Objects & Workflow** | | | | Approval chains |
| **Score Policy YAML** | | | | Full customization |
| **Configurable Scoring Profiles** | | | | Simple/Advanced |
| **Policy Version History** | | | | Audit trail |
---
## Attestation & Signing
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| DSSE Envelope Signing | | | | |
| in-toto Statement Structure | | | | |
| SBOM Predicate | | | | |
| VEX Predicate | | | | |
| Reachability Predicate | | | | |
| Policy Decision Predicate | | | | |
| Verdict Manifest (signed) | | | | |
| Verdict Replay Verification | | | | |
| **Human Approval Predicate** | | | | Workflow attestation |
| **Boundary Predicate** | | | | Network exposure |
| **Key Rotation Management** | | | | Enterprise key ops |
| **SLSA Provenance v1.0** | | | | Supply chain |
| **Rekor Transparency Log** | | | | Public attestation |
| **Cosign Integration** | | | | Sigstore ecosystem |
---
## Regional Crypto (Sovereign Profiles)
*Compliance features for regulated industries.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Default Crypto (Ed25519) | | | | |
| **FIPS 140-2/3 Mode** | | | | US Federal |
| **eIDAS Signatures** | | | | EU Compliance |
| **GOST/CryptoPro** | | | | Russia |
| **SM National Standard** | | | | China |
| **Post-Quantum (Dilithium)** | | | | Future-proof |
| **Crypto Plugin Architecture** | | | | Custom HSM |
---
## Determinism & Reproducibility
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Canonical JSON Serialization | | | | |
| Content-Addressed IDs | | | | SHA-256 |
| Replay Manifest (SRM) | | | | |
| `stella replay` CLI | | | | |
| Score Explanation Arrays | | | | |
| Evidence Freshness Multipliers | | | | |
| Proof Coverage Metrics | | | | |
| **Fidelity Metrics (BF/SF/PF)** | | | | Audit dashboards |
| **FN-Drift Rate Tracking** | | | | Quality monitoring |
| **Determinism Gate CI** | | | | Automated checks |
---
## Scoring & Risk Assessment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVSS v4.0 Display | | | | |
| EPSS v4 Probability | | | | |
| Priority Band Classification | | | | |
| EPSS-at-Scan Immutability | | | | |
| Unified Confidence Model | | | | 5-factor |
| **Entropy-Based Scoring** | | | | Advanced |
| **Gate Multipliers** | | | | Reachability-aware |
| **Unknowns Pressure Factor** | | | | Risk budgets |
| **Custom Scoring Profiles** | | | | Org-specific |
---
## Evidence & Findings
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Findings List | | | | |
| Evidence Graph View | | | | Basic |
| Decision Capsules | | | | |
| **Findings Ledger (Immutable)** | | | | Audit trail |
| **Evidence Locker (Sealed)** | | | | Export/import |
| **Evidence TTL Policies** | | | | Retention rules |
| **Evidence Size Budgets** | | | | Storage governance |
| **Retention Tiers** | | | | Hot/Warm/Cold |
| **Privacy Controls** | | | | Redaction |
| **Audit Pack Export** | | | | Compliance bundles |
---
## CLI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Scanner Commands | | | | |
| SBOM Inspect & Diff | | | | |
| Deterministic Replay | | | | |
| Attestation Verify | | | | |
| Unknowns Budget Check | | | | |
| Evidence Export | | | | |
| **Audit Pack Operations** | | | | Full workflow |
| **Binary Match Inspection** | | | | Advanced |
| **Crypto Plugin Commands** | | | | Regional crypto |
| **Admin Utilities** | | | | Ops tooling |
---
## Web UI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Dark/Light Mode | | | | |
| Findings Row Component | | | | |
| Evidence Drawer | | | | |
| Proof Tab | | | | |
| Confidence Meter | | | | |
| Locale Support | | | | Cyrillic, etc. |
| Reproduce Verdict Button | | | | |
| **Audit Trail UI** | | | | Full history |
| **Trust Algebra Panel** | | | | P/C/R visualization |
| **Claim Comparison Table** | | | | Conflict view |
| **Policy Chips Display** | | | | Gate status |
| **Reachability Mini-Map** | | | | Path visualization |
| **Runtime Timeline** | | | | Temporal view |
| **Operator/Auditor Toggle** | | | | Role separation |
| **Knowledge Snapshot UI** | | | | Air-gap prep |
| **Keyboard Shortcuts** | | | | Power users |
---
## Quota & Operations
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| **Scans per Day** | **33** | **333** | **2,000+** | Soft limit |
| Usage API (`/quota`) | | | | |
| Client-JWT (Online) | 12h | 30d | Annual | Token duration |
| Rate Limiting | | | | |
| 429 Backpressure | | | | |
| Retry-After Headers | | | | |
| **Priority Queue** | | | | Guaranteed capacity |
| **Burst Allowance** | | | | 3× daily for 1hr |
| **Custom Quotas** | | | | Per contract |
---
## Offline & Air-Gap
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Offline Update Kits (OUK) | | Monthly | Weekly | Feed freshness |
| Offline Signature Verify | | | | |
| One-Command Replay | | | | |
| **Sealed Knowledge Snapshots** | | | | Full feed export |
| **Air-Gap Bundle Manifest** | | | | Transfer packages |
| **No-Egress Enforcement** | | | | Strict isolation |
| **Offline JWT (90d)** | | | | Extended tokens |
---
## Deployment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Docker Compose | | | | Single-node |
| Helm Chart (K8s) | | | | |
| PostgreSQL 16+ | | | | |
| Valkey 8.0+ | | | | |
| RustFS (S3) | | | | |
| **High-Availability** | | | | Multi-replica |
| **Horizontal Scaling** | | | | Auto-scale |
| **Dedicated Capacity** | | | | Reserved resources |
---
## Access Control & Identity
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Auth | | | | |
| API Keys | | | | |
| **SSO/SAML Integration** | | | | Okta, Azure AD |
| **OIDC Support** | | | | |
| **Advanced RBAC** | | | | Team-based |
| **Multi-Tenant Management** | | | | Org hierarchy |
| **Audit Log Export** | | | | SIEM integration |
---
## Notifications & Integrations
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Email Notifications | | | | |
| In-App Notifications | | | | |
| EPSS Change Alerts | | | | |
| **Slack Integration** | | | | Enterprise Grid |
| **Teams Integration** | | | | Enterprise |
| **Custom Webhooks** | | | | Any endpoint |
| **CI/CD Gates** | | | | GitLab/GitHub/Jenkins |
| **Zastava Registry Hooks** | | | | Auto-scan on push |
---
## Scheduling & Automation
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Manual Scans | | | | |
| **Scheduled Scans** | | | | Cron-based |
| **Task Pack Orchestration** | | | | Declarative workflows |
| **EPSS Daily Refresh** | | | | Auto-update |
| **Event-Driven Scanning** | | | | On registry push |
---
## Observability & Telemetry
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Metrics | | | | |
| Opt-In Telemetry | | | | |
| **OpenTelemetry Traces** | | | | Full tracing |
| **Prometheus Export** | | | | Custom dashboards |
| **Quality KPIs Dashboard** | | | | Triage metrics |
| **SLA Monitoring** | | | | Uptime tracking |
---
## Support & Services
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Documentation | | | | |
| Community Forums | | | | |
| GitHub Issues | | | | |
| **Email Support** | | | | Business hours |
| **Priority Support** | | | | 4hr response |
| **24/7 Critical Support** | | | | Add-on |
| **Dedicated CSM** | | | | Named contact |
| **Professional Services** | | | | Implementation |
| **Training & Certification** | | | | Team enablement |
| **SLA Guarantee** | | | | 99.9% uptime |
---
## Version Comparison
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| RPM (NEVRA) | | | | |
| Debian (EVR) | | | | |
| Alpine (APK) | | | | |
| SemVer | | | | |
| PURL Resolution | | | | |
---
## Summary by Tier
### Free Tier (33 scans/day)
**Target:** Individual developers, OSS contributors, evaluation
- All language analyzers
- Basic scanning and SBOM generation
- Core determinism features
- Basic VEX and policy
- Docker Compose deployment
- Community support
### Community Tier (333 scans/day)
**Target:** Startups, small teams (<25), active open source projects
Everything in Free, plus:
- 10× scan quota
- Deep analysis mode
- Binary analysis basics
- Advanced attestation predicates
- Helm/K8s deployment
- Email notifications
- Monthly OUK access
**Registration required, 30-day token renewal**
### Enterprise Tier (2,000+ scans/day)
**Target:** Organizations 25+, regulated industries, compliance-driven
Everything in Community, plus:
- **Compliance**: Regional crypto (FIPS/eIDAS/GOST/SM), SLSA, Rekor
- **Scale**: HA, horizontal scaling, priority queue
- **Access**: SSO/SAML, advanced RBAC, multi-tenant
- **Advanced**: Binary fingerprints, trust calibration, custom policies
- **Air-Gap**: Sealed snapshots, extended offline tokens
- **Integration**: Enterprise Slack/Teams, CI/CD gates, webhooks
- **Support**: SLA, priority support, dedicated CSM
---
## Statistics Summary
| Metric | Value |
|--------|-------|
| **Total Features** | 150+ |
| **Free Tier Features** | ~45 |
| **Community Tier Features** | ~85 |
| **Enterprise Tier Features** | 150+ |
| **Language Analyzers** | 8 (all tiers) |
| **Advisory Sources** | 9 (Free), 10 (Community), 11+ (Enterprise) |
| **Crypto Profiles** | 1 (Free/Community), 6 (Enterprise) |
---
> **Legend:** ✅ = Included | — = Not available | ⏳ = Planned
---
*Last updated: 24 Dec 2025 (rev 4.0 - Tiered Commercial Model)*
Reference in New Issue View Git Blame Copy Permalink