607ce619fe
Bundled commit covering pre-session work from multiple Concelier sprints already archived or in-flight: - SPRINT_20260419_006: mirror domain / source key validation - SPRINT_20260419_029 / 030: durable jobs orchestrator runtime + endpoint verification - SPRINT_20260421_001: advisory source projection truthful counts - SPRINT_20260421_002: FE advisory source consistency (connector-side bits) - SPRINT_20260421_003: advisory connector runtime alignment - SPRINT_20260422_003: source credential entry paths (in-flight) Includes connector internals (ACSC / Adobe / CERT-BUND / Chromium / Cisco / CVE-KEV / GHSA / JVN / KISA / MSRC / Oracle / Ubuntu), source management endpoints, mirror domain management, federation endpoints, topology setup, job registration, and associated dossier updates under docs/modules/concelier/. This commit groups ~229 file changes that accumulated across the above sprints; individual changes are preserved at file granularity so blame remains useful. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
15 KiB
Concelier Connectors
This index lists Concelier connectors, their status, authentication expectations, and links to operational runbooks. For procedures and alerting, see docs/modules/concelier/operations/connectors/.
Operator configuration note:
- Supported advisory source credentials and endpoint overrides can now be supplied through the Web UI or
stella db connectors configure .... - GHSA, Cisco, and Microsoft use operator-supplied credentials through that path.
- Oracle, Adobe, and Chromium use public defaults and only need UI or CLI input when you override or mirror the upstream endpoints.
- See source-credentials.md.
The catalog currently contains 78 source definitions across 14 categories. The authoritative source list is defined in src/Concelier/__Libraries/StellaOps.Concelier.Core/Sources/SourceDefinitions.cs.
Canonical runtime note: the operator-facing source IDs in this index are the only scheduler/catalog IDs that should be used for Concelier jobs and setup. Legacy connector aliases such as ics-cisa, ics-kaspersky, ru-bdu, ru-nkcki, vndr-adobe, vndr-apple, vndr-chromium, vndr-cisco, vndr-oracle, and vndr.msrc remain compatibility-only aliases inside normalization paths and must not appear as primary runtime job keys.
Runtime note: the Concelier advisory catalog and the Excititor default VEX mirror bootstrap share some upstream vendors but are not the same pipeline. The default public VEX bootstrap currently seeds only redhat, ubuntu, oracle, and cisco, uses their public CSAF/notice endpoints, and staggers initial runs (5m, 7m, 9m, 11m) to avoid burst-fetching multiple upstreams at the same instant.
Source categories
| Category | Description | Source count |
|---|---|---|
| Primary | Core vulnerability databases (NVD, OSV, GHSA, CVE) | 4 |
| Threat | Threat intelligence, exploit prediction, and known-exploited (EPSS, KEV, MITRE ATT&CK, D3FEND) | 4 |
| Vendor | Vendor PSIRTs and cloud provider security bulletins | 16 |
| Distribution | Linux distribution security trackers | 10 |
| Ecosystem | Language-ecosystem advisory feeds via OSV/GHSA | 9 |
| PackageManager | Native package manager advisory databases (cargo-audit, pip-audit, govulncheck, bundler-audit) | 4 |
| Csaf | CSAF/VEX structured document sources | 3 |
| Exploit | Exploit databases and proof-of-concept repositories | 3 |
| Container | Container image advisory sources | 2 |
| Hardware | Hardware and firmware PSIRT advisories | 3 |
| Ics | Industrial control systems and SCADA advisories | 2 |
| Cert | National CERTs and government CSIRTs | 15 |
| Mirror | StellaOps pre-aggregated mirrors | 1 |
| Other | Uncategorized sources | 0 |
Primary Databases
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
|---|---|---|---|---|---|
| NVD (NIST) | nvd |
stable | api-key (optional) | 10 | nvd.md |
| OSV (Google) | osv |
stable | none | 15 | osv.md |
| GitHub Security Advisories | ghsa |
stable | api-token | 20 | ghsa.md |
| CVE.org (MITRE) | cve |
stable | none | 5 | cve.md |
Threat Intelligence & Exploit Scoring
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
|---|---|---|---|---|---|
| EPSS (FIRST) | epss |
stable | none | 50 | epss.md |
| CISA KEV | kev |
stable | none | 25 | cve-kev.md |
| MITRE ATT&CK | mitre-attack |
stable | none | 140 | -- |
| MITRE D3FEND | mitre-d3fend |
stable | none | 142 | -- |
MITRE ATT&CK provides adversary tactics and techniques in STIX format from the mitre/cti GitHub repository. D3FEND provides the complementary defensive techniques knowledge base. Both are tagged threat-intel and consumed via the SourceType.Upstream connector. For future STIX/TAXII protocol feeds, the SourceType.StixTaxii enum value is available for connector extensibility.
Vendor Advisories
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
|---|---|---|---|---|---|
| Red Hat Security | redhat |
stable | none | 30 | redhat.md |
| Microsoft Security (MSRC) | microsoft |
stable | oauth | 35 | msrc.md |
| Amazon Linux Security | amazon |
stable | none | 40 | -- |
| Google Security | google |
stable | none | 45 | -- |
| Oracle Security | oracle |
stable | none | 50 | oracle.md |
| Adobe Security | adobe |
stable | none | 52 | adobe.md |
| Apple Security | apple |
stable | none | 55 | apple.md |
| Chromium Stable Channel Updates | chromium |
stable | none | 57 | chromium.md |
| Cisco Security | cisco |
stable | oauth | 60 | cisco.md |
| Fortinet PSIRT | fortinet |
stable | none | 65 | -- |
| Juniper Security | juniper |
stable | none | 70 | -- |
| Palo Alto Security | paloalto |
stable | none | 75 | -- |
| VMware Security | vmware |
stable | none | 80 | vmware.md |
| AWS Security Bulletins | aws |
stable | none | 81 | -- |
| Azure Security Advisories | azure |
stable | none | 82 | -- |
| GCP Security Bulletins | gcp |
stable | none | 83 | -- |
AWS, Azure, and GCP cloud provider advisories were added in Sprint 007. They track platform-level security bulletins for cloud infrastructure components and are categorized under Vendor alongside traditional PSIRTs.
Mirror bootstrap note:
oracledefault VEX bootstrap discovery uses Oracle's public security RSS feed and derived*csaf.jsondocuments.ciscodefault VEX bootstrap uses Cisco's public CSAF provider metadata and does not require the OAuth credentials used by the Concelier openVuln connector.- If Cisco's public paged catalog is unavailable, the bootstrap falls back to
changes.csvand thenindex.txt, prefers newer candidates first, and checkpoints seen or permanently inaccessible legacy paths so hourly runs do not re-download or stall on the full historical corpus.
Linux Distributions
| Connector | Source ID | Status | Auth | Priority | Regions | Ops Runbook |
|---|---|---|---|---|---|---|
| Debian Security Tracker | debian |
stable | none | 30 | -- | debian.md |
| Ubuntu Security Notices | ubuntu |
stable | none | 32 | -- | ubuntu.md |
| Alpine SecDB | alpine |
stable | none | 34 | -- | alpine.md |
| SUSE Security | suse |
stable | none | 36 | -- | suse.md |
| RHEL Security | rhel |
stable | none | 38 | -- | -- |
| CentOS Security | centos |
stable | none | 40 | -- | -- |
| Fedora Security | fedora |
stable | none | 42 | -- | -- |
| Arch Security | arch |
stable | none | 44 | -- | -- |
| Gentoo Security | gentoo |
stable | none | 46 | -- | -- |
| Astra Linux Security | astra |
stable | none | 48 | RU, CIS | astra.md |
Mirror bootstrap note:
ubuntudefault VEX bootstrap readshttps://ubuntu.com/security/notices.jsonand synthesizes deterministic CSAF documents from the per-notice JSON payloads because Canonical's public path is notice JSON rather than native CSAF.
Language Ecosystems
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
|---|---|---|---|---|---|
| npm Advisories | npm |
stable | none | 50 | -- |
| PyPI Advisories | pypi |
stable | none | 52 | -- |
| Go Advisories | go |
stable | none | 54 | -- |
| RubyGems Advisories | rubygems |
stable | none | 56 | -- |
| NuGet Advisories | nuget |
stable | api-token | 58 | -- |
| Maven Advisories | maven |
stable | none | 60 | -- |
| Crates.io Advisories | crates |
stable | none | 62 | -- |
| Packagist Advisories | packagist |
stable | none | 64 | -- |
| Hex.pm Advisories | hex |
stable | none | 66 | -- |
Ecosystem connectors use OSV or GHSA GraphQL as the underlying data source. NuGet requires a GITHUB_PAT for GHSA GraphQL access.
Package Manager Native Advisories
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
|---|---|---|---|---|---|
| RustSec Advisory DB (cargo-audit) | rustsec |
stable | none | 63 | -- |
| PyPA Advisory DB (pip-audit) | pypa |
stable | none | 53 | -- |
| Go Vuln DB (govulncheck) | govuln |
stable | none | 55 | -- |
| Ruby Advisory DB (bundler-audit) | bundler-audit |
stable | none | 57 | -- |
Package manager native advisory databases provide language-specific vulnerability data curated by the respective package manager maintainers. These complement the ecosystem feeds (OSV/GHSA) by providing authoritative tool-native data used by cargo-audit, pip-audit, govulncheck, and bundler-audit. They are categorized separately under PackageManager to allow targeted mirror export filtering.
CSAF/VEX Sources
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
|---|---|---|---|---|---|
| CSAF Aggregator | csaf |
stable | none | 70 | -- |
| CSAF TC Trusted Publishers | csaf-tc |
stable | none | 72 | -- |
| VEX Hub | vex |
stable | none | 74 | -- |
Exploit Databases
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
|---|---|---|---|---|---|
| Exploit-DB | exploitdb |
stable | none | 110 | -- |
| PoC-in-GitHub | poc-github |
stable | api-token | 112 | -- |
| Metasploit Modules | metasploit |
stable | none | 114 | -- |
Exploit databases track publicly available proof-of-concept code and exploit modules. Exploit-DB is sourced from the Offensive Security GitLab mirror. PoC-in-GitHub uses the GitHub search API to discover repositories containing vulnerability PoCs (requires GITHUB_PAT). Metasploit tracks Rapid7 Metasploit Framework module metadata for CVE-to-exploit correlation.
Container Sources
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
|---|---|---|---|---|---|
| Docker Official CVEs | docker-official |
stable | none | 120 | -- |
| Chainguard Advisories | chainguard |
stable | none | 122 | -- |
Container-specific advisory sources track vulnerabilities in base images and hardened container distributions. Docker Official CVEs covers the Docker Hub official images program. Chainguard Advisories covers hardened distroless and Wolfi-based images.
Hardware/Firmware
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
|---|---|---|---|---|---|
| Intel PSIRT | intel |
stable | none | 130 | -- |
| AMD Security | amd |
stable | none | 132 | -- |
| ARM Security Center | arm |
stable | none | 134 | -- |
Hardware PSIRT advisories cover CPU microcode, firmware, and silicon-level vulnerabilities from the three major processor vendors. These sources are especially relevant for infrastructure operators tracking speculative execution (Spectre/Meltdown class) and firmware supply chain issues.
ICS/SCADA
| Connector | Source ID | Status | Auth | Priority | Regions | Ops Runbook |
|---|---|---|---|---|---|---|
| Siemens ProductCERT | siemens |
stable | none | 136 | -- | -- |
| Kaspersky ICS-CERT | kaspersky-ics |
stable | none | 102 | RU, CIS, GLOBAL | kaspersky-ics.md |
Industrial control systems advisories cover SCADA and operational technology vulnerabilities. Siemens ProductCERT publishes CSAF-format advisories. Kaspersky ICS-CERT was promoted from beta to stable in Sprint 007 after endpoint stability verification.
National CERTs
| Connector | Source ID | Status | Auth | Priority | Regions | Ops Runbook |
|---|---|---|---|---|---|---|
| CERT-FR | cert-fr |
stable | none | 80 | FR, EU | cert-fr.md |
| CERT-Bund (Germany) | cert-de |
stable | none | 82 | DE, EU | certbund.md |
| CERT.at (Austria) | cert-at |
stable | none | 84 | AT, EU | -- |
| CERT.be (Belgium) | cert-be |
stable | none | 86 | BE, EU | -- |
| NCSC-CH (Switzerland) | cert-ch |
stable | none | 88 | CH | -- |
| CERT-EU | cert-eu |
stable | none | 90 | EU | -- |
| CCCS (Canada) | cccs |
stable | none | 91 | CA, NA | cccs.md |
| JPCERT/CC (Japan) | jpcert |
stable | none | 92 | JP, APAC | jvn.md |
| CERT/CC | cert-cc |
stable | none | 93 | US, NA | cert-cc.md |
| CISA (US-CERT) | us-cert |
stable | none | 94 | US, NA | ics-cisa.md |
| CERT-UA (Ukraine) | cert-ua |
stable | none | 95 | UA | -- |
| CERT.PL (Poland) | cert-pl |
stable | none | 96 | PL, EU | -- |
| AusCERT (Australia) | auscert |
stable | none | 97 | AU, APAC | -- |
| KrCERT/CC (South Korea) | krcert |
stable | none | 98 | KR, APAC | kisa.md |
| CERT-In (India) | cert-in |
stable | none | 99 | IN, APAC | cert-in.md |
Seven additional CERTs beyond the original European/Japanese set are now defined in the catalog: CCCS (Canada), CERT/CC, CERT-UA, CERT.PL, AusCERT, KrCERT/CC, and CERT-In, extending coverage to North America, Eastern Europe, Oceania, and South/East Asia.
Russian/CIS Sources
| Connector | Source ID | Status | Auth | Priority | Regions | Ops Runbook |
|---|---|---|---|---|---|---|
| FSTEC BDU | fstec-bdu |
stable | none | 100 | RU, CIS | fstec-bdu.md |
| NKCKI | nkcki |
stable | none | 101 | RU, CIS | nkcki.md |
FSTEC BDU and NKCKI were promoted from beta to stable in Sprint 007. FSTEC BDU (Bank of Security Threats) provides vulnerability data maintained by Russia's Federal Service for Technical and Export Control. NKCKI is the National Coordination Center for Computer Incidents. Kaspersky ICS-CERT and Astra Linux are listed in their respective category sections above.
StellaOps Mirror
| Connector | Source ID | Status | Auth | Priority | Ops Runbook |
|---|---|---|---|---|---|
| StellaOps Mirror | stella-mirror |
stable | none (configurable) | 1 | -- |
The StellaOps Mirror connector consumes pre-aggregated advisory data from a StellaOps mirror instance. When using mirror mode, this source takes highest priority (1) and replaces direct upstream connections. See docs/modules/excititor/mirrors.md for mirror configuration details.
Reason Codes Reference: docs/modules/concelier/operations/connectors/reason-codes.md