stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
582a88e8f8ddf9e03bf1a0cff65f619bf4306ea1
git.stella-ops.org/docs/modules/export-center/operations/risk-bundle-provider-matrix.md
StellaOps Bot 71e9a56cfd
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
feat: Add Scanner CI runner and related artifacts 
- Implemented `run-scanner-ci.sh` to build and run tests for the Scanner solution with a warmed NuGet cache.
- Created `excititor-vex-traces.json` dashboard for monitoring Excititor VEX observations.
- Added Docker Compose configuration for the OTLP span sink in `docker-compose.spansink.yml`.
- Configured OpenTelemetry collector in `otel-spansink.yaml` to receive and process traces.
- Developed `run-spansink.sh` script to run the OTLP span sink for Excititor traces.
- Introduced `FileSystemRiskBundleObjectStore` for storing risk bundle artifacts in the filesystem.
- Built `RiskBundleBuilder` for creating risk bundles with associated metadata and providers.
- Established `RiskBundleJob` to execute the risk bundle creation and storage process.
- Defined models for risk bundle inputs, entries, and manifests in `RiskBundleModels.cs`.
- Implemented signing functionality for risk bundle manifests with `HmacRiskBundleManifestSigner`.
- Created unit tests for `RiskBundleBuilder`, `RiskBundleJob`, and signing functionality to ensure correctness.
- Added filesystem artifact reader tests to validate manifest parsing and artifact listing.
- Included test manifests for egress scenarios in the task runner tests.
- Developed timeline query service tests to verify tenant and event ID handling.
2025-11-30 19:12:35 +02:00

3.3 KiB
Raw Blame History

Risk Bundle Provider Matrix & Signing Baseline

Status: Baseline for Sprint 0164-0001-0001 (RISK-BUNDLE-69/70 chain)

Provider catalog (deterministic ordering)

Provider ID Source feed (offline-ready) Coverage Refresh cadence Signing / integrity Notes
cisa-kev CISA Known Exploited Vulnerabilities JSON Exploited CVEs with required/known exploited flag Daily DSSE signature using ExportCenter signing key; feed hash recorded in provider-manifest.json Mandatory; fails bundle if feed missing or hash mismatch.
first-epss FIRST EPSS CSV snapshot Probability scores per CVE Daily DSSE signature; SHA-256 of snapshot stored in manifest Optional; omit if snapshot stale >48h unless allowStale=true.
osv OpenSSF OSV bulk JSON (per-ecosystem shards) OSS advisories with affected package ranges Weekly DSSE signature; per-shard SHA-256 list Included only when includeOsv=true in job options to keep bundle size constrained.
vendor-csaf CSAF vendor advisories (Red Hat, SUSE, Debian) mirrored via Offline Kit Vendor-specific CVEs, remediations Weekly Detached signature per CSAF document (vendor-provided where available) plus bundle-level DSSE manifest Requires Offline Kit mirror; missing vendor feeds logged but bundle continues if allowPartialVendors=true.

Manifest baseline

  • Generate provider-manifest.json with sorted provider entries. Fields per provider: {id, source, snapshotDate, sha256, signaturePath, optional}.
  • Store DSSE envelope for provider-manifest.json at signatures/provider-manifest.dsse (cosign/KMS).
  • Include provider digests in manifests/provenance.json materials array with URI risk-provider://<id>/<snapshotDate>.

Signing baseline

  • Use Export Center signing path (cosign + Authority KMS) for:
    • provider-manifest.json (DSSE)
    • Aggregated risk-bundle.tar.* (detached signature risk-bundle.sig)
  • Vendor-provided signatures (when present) are preserved inside providers/<id>/ and referenced from provider-manifest.json.
  • Rekor publishing remains optional; default off for offline kits (rekor_publish=false).

Validation rules (bundle build)

  • Fail build if any mandatory provider (currently cisa-kev) is missing or hash mismatch.
  • Warn (non-fatal) when optional providers are stale beyond cadence unless allowStale=true.
  • Deterministic ordering: providers sorted by id; files sorted lexicographically inside bundle.
  • Record bundle-level inputs hash combining provider SHA-256 values (stable ordering) and include in provenance materials[].

Verification workflow alignment

  • CLI stella risk bundle verify must validate:
    • DSSE on provider-manifest.json
    • Hash match for each provider snapshot
    • Presence (or allowed absence) per optional flag
    • Detached signature on bundle archive (cosign/KMS)
  • Offline verification uses bundled public key (signatures/pubkeys/<tenant>.pem).

Next steps / TODOs

  • Add test fixtures: minimal provider snapshots (kev+epss) with fixed hashes for deterministic regression tests.
  • Update ExportCenter worker to emit provider-manifest.json and DSSE using existing signing pipeline.
  • Extend CLI verify command to surface per-provider status (missing/stale/hash mismatch) and exit non-zero on mandatory failures.