68bc53a07b
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
3.1 KiB
3.1 KiB
ICSCISA / KISA Feed Remediation Plan (v0.2 - 2025-12-07)
Purpose
Define a minimal, actionable plan to refresh overdue ICSCISA and KISA connectors, restore provenance freshness, and publish normalized payload fields for downstream Advisory AI and Concelier consumers.
Owners
- Feed owners: Concelier Feed Guild
- Product advisory liaison: Product Advisory Guild
- Backup: Docs Guild
Scope & cadence
- Feeds: ICSCISA, KISA (security advisories)
- Refresh cadence: weekly pull; publish hashlist and timestamps per run
- Staleness budget: <14 days; alert if exceeded; flag any run skipped or retried
- Execution window (v0.2): first refreshed run by 2025-12-10; weekly thereafter
Deliverables (for PREP-FEEDCONN-ICS-KISA-PLAN)
- Provenance refresh SOP
- Mirror source URLs to internal cache before parsing; record request/response headers.
- Record per-advisory
source_url,fetched_at(UTC),sha256,signature(if present), andrun_id. - Store run log under
out/feeds/icscisa-kisa/<YYYYMMDD>/fetch.logwith start/end time, HTTP status histogram, and retry counts.
- Normalized payload fields
- Required fields:
advisory_id,title,summary,published,updated,severity(pass-through),cvss(if provided),cwe,affected_products(list),references(list of URL strings),signature(object or null). - Preserve source values; no inference or merging; emit deterministic field ordering in NDJSON.
- Required fields:
- Backlog cleanup
- Reprocess last 60 days; compare hash to prior ingests; flag changed advisories.
- Emit delta report (
out/feeds/icscisa-kisa/<YYYYMMDD>/delta.json) with{run_id, added[], updated[], removed[], totals}; include sha256 of prior vs current payload when changed.
- Provenance note
- Publish
docs/modules/concelier/feeds/icscisa-kisa-provenance.mdwith current signing keys/fingerprints, expected headers, and fallback when signatures missing. - Note any unsigned advisories per run with
skip_reason, and capture verification tooling used.
- Publish
- Next review date
- Set to 2025-12-21 (two-week check from v0.2) and capture SIG verification status + open deltas.
Actions & timeline (v0.2 refresh)
- T0 (2025-12-08): adopt SOP + field map; create delta report template; preflight cache paths.
- T0+2d (2025-12-10): run backlog reprocess, publish artefacts + hashes for both feeds; capture unsigned counts and retry reasons.
- T0+14d (2025-12-21): review staleness, adjust cadence if needed; reset review date and owners.
Artefact locations
- Normalized advisories:
out/feeds/icscisa-kisa/<YYYYMMDD>/advisories.ndjson - Fetch log + hashes:
out/feeds/icscisa-kisa/<YYYYMMDD>/fetch.log,hashes.sha256 - Delta report:
out/feeds/icscisa-kisa/<YYYYMMDD>/delta.json - Provenance note:
docs/modules/concelier/feeds/icscisa-kisa-provenance.md
Risks & mitigations
- Source downtime -> mirror last good snapshot; retry daily for 3 days.
- Missing signatures -> record
signature=null, logskip_reasonin provenance note; do not infer validity. - Schema drift -> treat as new fields, store raw, add to field map after review (no drop).