stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
634233dfed12f52e50cf2846e72bb92e600f41ef
git.stella-ops.org/docs/implplan/SPRINT_4500_SUMMARY.md
StellaOps Bot 634233dfed feat: Implement distro-native version comparison for RPM, Debian, and Alpine packages 
- Add RpmVersionComparer for RPM version comparison with epoch, version, and release handling.
- Introduce DebianVersion for parsing Debian EVR (Epoch:Version-Release) strings.
- Create ApkVersion for parsing Alpine APK version strings with suffix support.
- Define IVersionComparator interface for version comparison with proof-line generation.
- Implement VersionComparisonResult struct to encapsulate comparison results and proof lines.
- Add tests for Debian and RPM version comparers to ensure correct functionality and edge case handling.
- Create project files for the version comparison library and its tests.
2025-12-22 09:50:12 +02:00

1.7 KiB
Raw Blame History

SPRINT_4500 SUMMARY: VEX Hub & Trust Scoring

Program Overview

Field Value
Program ID 4500
Theme VEX Distribution Network: Aggregation, Trust, and Ecosystem
Priority P1 (High)
Total Effort ~6 weeks
Advisory Source 19-Dec-2025 - Stella Ops candidate features mapped to moat strength

Strategic Context

The advisory explicitly calls out Aqua's VEX Hub as competitive. This program establishes StellaOps as a trusted VEX distribution layer with:

  1. VEX Hub — Aggregation, validation, and serving at scale
  2. Trust Scoring — Multi-dimensional trust assessment of VEX sources

Sprint Breakdown

Sprint ID Title Effort Moat
4500_0001_0001 VEX Hub Aggregation Service 4 weeks 3-4
4500_0001_0002 VEX Trust Scoring Framework 2 weeks 3-4

New Module

This program introduces a new module: src/VexHub/

Dependencies

  • Requires: VexLens (exists)
  • Requires: Excititor connectors (exist)
  • Requires: TrustWeightEngine (exists)

Outcomes

  1. VEX Hub aggregates statements from all configured sources
  2. API enables query by CVE, PURL, source
  3. Trivy/Grype can consume VEX from hub URL
  4. Trust scores inform consensus decisions

Competitive Positioning

Competitor VEX Capability StellaOps Differentiation
Aqua VEX Hub Centralized repository +Trust scoring, +Verification, +Decisioning coupling
Trivy VEX consumption +Aggregation source, +Consensus engine
Anchore VEX annotation +Multi-source, +Lattice logic

Sprint Series Status: TODO

Created: 2025-12-22