stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
600f3a7a3cc47441484b201e372aed1bc5528d6e
git.stella-ops.org/docs/product-advisories/31-Nov-2025 FINDINGS.md
StellaOps Bot 600f3a7a3c
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Console CI / console-ci (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
feat(graph): introduce graph.inspect.v1 contract and schema for SBOM relationships 
- Added graph.inspect.v1 documentation outlining payload structure and determinism rules.
- Created JSON schema for graph.inspect.v1 to enforce payload validation.
- Defined mapping rules for graph relationships, advisories, and VEX statements.

feat(notifications): establish remediation blueprint for gaps NR1-NR10

- Documented requirements, evidence, and tests for Notifier runtime.
- Specified deliverables and next steps for addressing identified gaps.

docs(notifications): organize operations and schemas documentation

- Created README files for operations, schemas, and security notes to clarify deliverables and policies.

feat(advisory): implement PostgreSQL caching for Link-Not-Merge linksets

- Created database schema for advisory linkset cache.
- Developed repository for managing advisory linkset cache operations.
- Added tests to ensure correct functionality of the AdvisoryLinksetCacheRepository.
2025-12-04 09:36:59 +02:00

15 KiB
Raw Blame History

31-Nov-2025 FINDINGS (Gap Consolidation)

Purpose

This advisory consolidates late-November gap findings across Scanner, SBOM/VEX spine, competitor ingest, and other cross-cutting areas. It enumerates remediation tracks referenced by multiple sprints (for example SPRINT_0186_0001_0001_record_deterministic_execution.md) so implementation teams can scope work without waiting on scattered notes.

Scope & Status

  • Created: 2025-12-02 (retroactive to 2025-11-30 findings review)
  • Applies to: Scanner, Sbomer, Policy/Authority, CLI/UI, Observability, Offline/Release
  • Priority sets included: SC1SC10 (Scanner), SP1SP10 (SBOM/VEX spine), CM1CM10 (Competitor ingest). Other gap families remain to be catalogued; see "Pending families" below.

SC (Scanner Blueprint) Gaps — SC1SC10

  1. SC1 — Standards convergence roadmap: Land coordinated adoption of CVSS v4.0, CycloneDX 1.7 (incl. CBOM), and SLSA 1.2 in scanner outputs and docs.
  2. SC2 — CDX 1.7 + CBOM exports: Produce deterministic CycloneDX 1.7 with CBOM sections and embedded evidence citations.
  3. SC3 — SLSA Source Track capture: Capture source-trace fields (build provenance, source repo refs, build-id) in replay bundles.
  4. SC4 — Compatibility adapters: Provide downgrade adapters (CVSS v4→v3.1, CDX 1.7→1.6, SLSA 1.2→1.0) with deterministic mapping tables.
  5. SC5 — Determinism CI for new formats: Add CI checks/harnesses ensuring stable ordering/hashes for new schemas.
  6. SC6 — Binary/source evidence alignment: Align binary evidence (build-id, symbols, patch oracle) with source SBOM/VEX outputs.
  7. SC7 — API/UI surfacing: Expose the new metadata in surface API and console (filters, columns, download endpoints).
  8. SC8 — Baseline fixtures: Curate fixture set covering v4 scoring, CBOM, SLSA 1.2, and evidence chips for regression.
  9. SC9 — Governance/approvals: Define review gates/approvers for schema bumps and downgrade mappings.
  10. SC10 — Offline-kit parity: Ensure offline kits ship frozen schemas, mappings, and fixtures for the above.

SP (SBOM/VEX Spine) Gaps — SP1SP10

  1. SP1 — Versioned API/DTO schemas: Introduce versioned SBOM/VEX spine schemas with explicit migration rules.
  2. SP2 — Predicate/edge evidence requirements: Mandate evidence fields per predicate/edge (e.g., reachability proof, package identity, build metadata).
  3. SP3 — Unknowns workflow contract: Define lifecycle/SLA for Unknowns registry entries and their surfacing in spine APIs.
  4. SP4 — DSSE-signed bundle manifest: Require DSSE-signed manifest including hash listings for every spine artifact.
  5. SP5 — Deterministic diff rules/fixtures: Specify canonical diff rules and fixtures for SBOM/VEX deltas.
  6. SP6 — Feed snapshot freeze/staleness: Codify snapshot/policy freshness guarantees and staleness thresholds.
  7. SP7 — Mandated DSSE per stage: Enforce DSSE signatures per processing stage with Rekor/mirror policies (online/offline).
  8. SP8 — Policy lattice versioning: Version the policy lattice and embed version refs into spine objects.
  9. SP9 — Performance/pagination limits: Set deterministic pagination/ordering and perf budgets for API queries.
  10. SP10 — Crosswalk mappings: Provide crosswalk between SBOM/VEX/graph/policy outputs for auditors and tooling.

CM (Competitor Ingest) Gaps — CM1CM10

  1. CM1 — Normalization adapters: Harden ingest adapters for Syft/Trivy/Clair (SBOM + vuln scan) into StellaOps schemas.
  2. CM2 — Signature/provenance verification: Verify external SBOM/scan signatures and provenance before acceptance; reject/flag unverifiable payloads.
  3. CM3 — Snapshot governance: Enforce DB snapshot versioning, freshness SLAs, and rollback plans for imported feeds.
  4. CM4 — Anomaly regression tests: Add regression tests for known ingest anomalies (schema drift, nullables, encoding, ordering).
  5. CM5 — Offline ingest kits: Provide offline kits with DSSE-signed adapters, mappings, and fixtures for external SBOM/scan imports.
  6. CM6 — Fallback rules: Define fallback hierarchy when external data is incomplete (prefer signed SBOM → unsigned SBOM → scan results → policy defaults).
  7. CM7 — Source transparency: Persist source tool/version/hash metadata and expose it in APIs/exports.
  8. CM8 — Benchmark parity: Maintain benchmark parity with upstream tool baselines (version-pinned, hash-logged runs).
  9. CM9 — Ecosystem coverage: Track coverage per ecosystem (container, Java, Python, .NET, Go, OS packages) and gaps for ingest support.
  10. CM10 — Error resilience & retries: Standardize retry/backoff/error classification for ingest pipeline; surface diagnostics deterministically.

OK (Offline Kit) Gaps — OK1OK10

  1. OK1 — Key manifest + PQ co-sign: Record key IDs and PQ dual-sign toggle in bundle meta; rotate keys ≤90 days. Evidence: out/mirror/thin/mirror-thin-v1.bundle.json (chain_of_custody.keyid) and layers/offline-kit-policy.json.
  2. OK2 — Tool hashing/signing: Hash build/sign/verify tools and pin them in bundle meta (tooling.*); DSSE envelopes cover manifest + bundle meta.
  3. OK3 — DSSE top-level manifest: Ship DSSE for bundle meta (mirror-thin-v1.bundle.dsse.json) linking manifest, tarball, policies, and optional OCI layout.
  4. OK4 — Checkpoint freshness + mirror metadata: Enforce checkpoint_freshness_seconds and timestamped created in bundle meta; require checkpoints in transport-plan.json.
  5. OK5 — Deterministic packaging flags: Capture tar/gzip flags in layers/offline-kit-policy.json and verify via scripts/mirror/verify_thin_bundle.py determinism checks.
  6. OK6 — Scan/VEX/policy/graph hashes: Include layers/artifact-hashes.json with digests for scan/vex/policy/graph fixtures and reference from bundle meta.
  7. OK7 — Time anchor bundling: Embed layers/time-anchor.json digest in bundle meta and surface trust-root path for AIRGAP-TIME.
  8. OK8 — Transport/chunking + chain-of-custody: Define chunk sizing, retry policy, and signed chain-of-custody in layers/transport-plan.json (includes build/sign digests + keyid).
  9. OK9 — Tenant/environment scoping: Require tenant/environment fields in bundle meta; verifier enforces via --tenant/--environment flags.
  10. OK10 — Scripted verify + negative paths: scripts/mirror/verify_thin_bundle.py validates required layers, DSSE, sidecars, tool hashes, and scope; fails fast on missing/stale artefacts.

RK (Rekor) Gaps — RK1RK10

  1. RK1 — DSSE/hashedrekord only: layers/rekor-policy.json sets rk1_enforceDsse=true and routes both public/private to hashedrekord.
  2. RK2 — Payload size preflight + chunks: rk2_payloadMaxBytes=1048576 with chunking guidance in transport-plan.json.
  3. RK3 — Public/private routing policy: Explicit routing map (rk3_routing) for shard-aware submission.
  4. RK4 — Shard-aware checkpoints: rk4_shardCheckpoint="per-tenant-per-day" plus checkpoint freshness from bundle meta.
  5. RK5 — Idempotent submission keys: rk5_idempotentKeys=true to prevent duplicate entries.
  6. RK6 — Sigstore bundles in kits: rk6_sigstoreBundleIncluded=true; bundle meta lists DSSE artefacts for offline kits.
  7. RK7 — Checkpoint freshness bounds: rk7_checkpointFreshnessSeconds mirrors bundle freshness budget.
  8. RK8 — PQ dual-sign options: rk8_pqDualSign mirrors PQ toggle (env PQ_CO_SIGN_REQUIRED).
  9. RK9 — Error taxonomy/backoff: Enumerated in rk9_errorTaxonomy and retried per transport-plan.json retry policy.
  10. RK10 — Policy/graph annotations: rk10_annotations require policy + graph context inside DSSE/bundle records.

MS (Mirror Strategy) Gaps — MS1MS10

  1. MS1 — Signed/versioned mirror schemas: layers/mirror-policy.json tracks schemaVersion + semver; DSSE of bundle meta ties schema to artefacts.
  2. MS2 — DSSE/TUF rotation policy (incl. PQ): dsseTufRotationDays=30 and pqDualSign toggle documented in mirror policy and bundle meta.
  3. MS3 — Delta spec with tombstones/base hash: Mirror policy delta enforces tombstones and base-hash requirements for deltas.
  4. MS4 — Time-anchor freshness enforcement: timeAnchorFreshnessSeconds plus bundled time-anchor.json digest.
  5. MS5 — Tenant/env scoping: Tenant/environment fields required in bundle meta; verifier flags mismatches.
  6. MS6 — Distribution integrity (HTTP/OCI/object): distributionIntegrity enumerates integrity strategies for each transport.
  7. MS7 — Chunking/size rules: chunking.sizeBytes + maxChunks pinned in mirror policy and reflected in transport plan.
  8. MS8 — Standard verify script: verifyScript references scripts/mirror/verify_thin_bundle.py; bundle meta recorded in DSSE envelope.
  9. MS9 — Metrics/alerts: Mirror policy metrics marks build/import/verify signals required for observability.
  10. MS10 — SemVer/change log: changelog block declares current format version; future bumps must be appended with deterministic notes.

NR (Notify Runtime) Gaps — NR1NR10

  1. NR1 — Signed, versioned schema catalog: Publish JSON Schemas for event envelopes, rules, templates, channels, receipts, and webhooks with explicit schema_version and tenant fields; ship a DSSE-signed catalog (docs/notifications/schemas/notify-schemas-catalog.json + .dsse.json) and canonical hash recipe (BLAKE3-256 over normalized JSON). Evidence: catalog + DSSE, inputs.lock with schema digests.
  2. NR2 — Tenant scoping & approvals: Require tenant ID on all Notify APIs, channels, and ack receipts; enforce per-tenant RBAC/approvals for high-impact rules (escalations, PII, cross-tenant fan-out); document rejection reasons. Evidence: RBAC/approval matrix + conformance tests.
  3. NR3 — Deterministic rendering & localization: Rendering must be deterministic across locales/time zones: stable merge-field ordering, UTC ISO-8601 timestamps with fixed format, locale whitelist, deterministic preview output hashed in ledger; golden fixtures for each channel/template. Evidence: rendering fixture set + hash expectations.
  4. NR4 — Quotas, backpressure, DLQ: Per-tenant/channel quotas, burst budgets, and backpressure rules applied before enqueue; DLQ schema with redrive semantics and idempotent keys; require metrics/alerts for queue depth and DLQ growth. Evidence: quota policy doc + DLQ schema + redrive test harness.
  5. NR5 — Retry & idempotency policy: Canonical delivery_id (UUIDv7) + dedupe key per event×rule×channel; exponential backoff with jitter + max attempts; connectors must be idempotent; ensure out-of-order acks are ignored. Evidence: retry matrix + idempotency conformance tests.
  6. NR6 — Webhook/ack security: Mandatory HMAC with rotated secrets or mTLS/DPoP for webhooks; signed ack URLs/tokens with nonce, expiry, audience, and single-use guarantees; restrict allowed domains/paths per tenant. Evidence: security policy + negative-path tests.
  7. NR7 — Redaction & PII limits: Classify template fields, require redaction of secrets/PII in stored payloads/logs, hash-sensitive values, and enforce size/field allowlists; previews/logs must default to redacted variants. Evidence: redaction catalog + fixtures demonstrating sanitized storage and previews.
  8. NR8 — Observability SLO alerts: Define SLOs for delivery latency, success rate, backlog, DLQ age; standard metrics (notify_delivery_success_total, notify_backlog_depth, etc.) with alert thresholds and runbooks; traces carry tenant/rule/channel IDs with sampling rules. Evidence: dashboard JSON + alert rules + trace exemplar IDs.
  9. NR9 — Offline notify-kit with DSSE: Produce offline kit containing schemas, rules/templates, connector configs, verify script, and DSSE-signed manifest; include hash list and time-anchor hook; support deterministic packaging flags and tenant/env scoping. Evidence: kit manifest + DSSE + verify_notify_kit.sh script.
  10. NR10 — Mandatory simulations & evidence: Rules/templates must pass simulation/dry-run against frozen fixtures before activation; store DSSE-signed simulation results and attach evidence to change approvals; require regression tests for each high-impact rule change. Evidence: simulation report + DSSE + golden fixtures and TRX/NDJSON outputs.

Pending Families (to be expanded)

The following gap families were referenced in November indices and still need detailed findings written out:

  • CV1CV10 (CVSS v4 receipts), CVM1CVM10 (momentum), FC1FC10 (SCA fixture gaps), OB1OB10 (onboarding), IG1IG10 (implementor guidance), RR1RR10 (Rekor receipts), SK1SK10 (standups), MI1MI10 (UI micro-interactions), PVX1PVX10 (Proof-linked VEX UI), TTE1TTE10 (Time-to-Evidence), AR-EP1…AR-VB1 (archived advisories revival), BP1BP10 (SBOM→VEX proof pipeline), UT1UT10 (unknown heuristics), CE1CE10 (evidence patterns), ET1ET10 (ecosystem fixtures), RB1RB10 (reachability fixtures), G1G12 / RD1RD10 (reachability benchmark/dataset), UN1UN10 (unknowns registry), U1U10 (decay), EX1EX10 (explainability), VEX1VEX10 (VEX claims), BR1BR10 (binary reachability), VT1VT10 (triage), PL1PL10 (plugin arch), EB1EB10 (evidence baseline), EC1EC10 (export center), AT1AT10 (automation), OK1OK10 / RK1RK10 / MS1MS10 (offline/mirror/Rekor kits), TP1TP10 (task packs), AU1AU10 (auth), CL1CL10 (CLI), OR1OR10 (orchestrator), ZR1ZR10 (Zastava), NR1NR10 (Notify), GA1GA10 (graph analytics), TO1TO10 (telemetry), PS1PS10 (policy), FL1FL10 (ledger), CI1CI10 (Concelier ingest).
  • CV1CV10 (CVSS v4 receipts), CVM1CVM10 (momentum), FC1FC10 (SCA fixture gaps), OB1OB10 (onboarding), IG1IG10 (implementor guidance), RR1RR10 (Rekor receipts), SK1SK10 (standups), MI1MI10 (UI micro-interactions), PVX1PVX10 (Proof-linked VEX UI), TTE1TTE10 (Time-to-Evidence), AR-EP1…AR-VB1 (archived advisories revival), BP1BP10 (SBOM→VEX proof pipeline), UT1UT10 (unknown heuristics), CE1CE10 (evidence patterns), ET1ET10 (ecosystem fixtures), RB1RB10 (reachability fixtures), G1G12 / RD1RD10 (reachability benchmark/dataset), UN1UN10 (unknowns registry), U1U10 (decay), EX1EX10 (explainability), VEX1VEX10 (VEX claims), BR1BR10 (binary reachability), VT1VT10 (triage), PL1PL10 (plugin arch), EB1EB10 (evidence baseline), EC1EC10 (export center), AT1AT10 (automation), OK1OK10 / RK1RK10 / MS1MS10 (offline/mirror/Rekor kits), TP1TP10 (task packs), AU1AU10 (auth), CL1CL10 (CLI), OR1OR10 (orchestrator), ZR1ZR10 (Zastava), GA1GA10 (graph analytics), TO1TO10 (telemetry), PS1PS10 (policy), FL1FL10 (ledger), CI1CI10 (Concelier ingest).

Each pending family should be expanded in this document (or split into dedicated, linked supplements) with numbered findings, recommended evidence, and deterministic test/fixture expectations.

Decision Trace

  • This document was created to satisfy sprint and index references to “31-Nov-2025 FINDINGS.md” and unblock gap-remediation tasks across Scanner/SBOM/VEX and ingest tracks.