68bc53a07b
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
49 lines
3.1 KiB
Markdown
49 lines
3.1 KiB
Markdown
# ICSCISA / KISA Feed Remediation Plan (v0.2 - 2025-12-07)
|
|
|
|
## Purpose
|
|
Define a minimal, actionable plan to refresh overdue ICSCISA and KISA connectors, restore provenance freshness, and publish normalized payload fields for downstream Advisory AI and Concelier consumers.
|
|
|
|
## Owners
|
|
- Feed owners: Concelier Feed Guild
|
|
- Product advisory liaison: Product Advisory Guild
|
|
- Backup: Docs Guild
|
|
|
|
## Scope & cadence
|
|
- Feeds: ICSCISA, KISA (security advisories)
|
|
- Refresh cadence: weekly pull; publish hashlist and timestamps per run
|
|
- Staleness budget: <14 days; alert if exceeded; flag any run skipped or retried
|
|
- Execution window (v0.2): first refreshed run by 2025-12-10; weekly thereafter
|
|
|
|
## Deliverables (for PREP-FEEDCONN-ICS-KISA-PLAN)
|
|
1) **Provenance refresh SOP**
|
|
- Mirror source URLs to internal cache before parsing; record request/response headers.
|
|
- Record per-advisory `source_url`, `fetched_at` (UTC), `sha256`, `signature` (if present), and `run_id`.
|
|
- Store run log under `out/feeds/icscisa-kisa/<YYYYMMDD>/fetch.log` with start/end time, HTTP status histogram, and retry counts.
|
|
2) **Normalized payload fields**
|
|
- Required fields: `advisory_id`, `title`, `summary`, `published`, `updated`, `severity` (pass-through), `cvss` (if provided), `cwe`, `affected_products` (list), `references` (list of URL strings), `signature` (object or null).
|
|
- Preserve source values; no inference or merging; emit deterministic field ordering in NDJSON.
|
|
3) **Backlog cleanup**
|
|
- Reprocess last 60 days; compare hash to prior ingests; flag changed advisories.
|
|
- Emit delta report (`out/feeds/icscisa-kisa/<YYYYMMDD>/delta.json`) with `{run_id, added[], updated[], removed[], totals}`; include sha256 of prior vs current payload when changed.
|
|
4) **Provenance note**
|
|
- Publish `docs/modules/concelier/feeds/icscisa-kisa-provenance.md` with current signing keys/fingerprints, expected headers, and fallback when signatures missing.
|
|
- Note any unsigned advisories per run with `skip_reason`, and capture verification tooling used.
|
|
5) **Next review date**
|
|
- Set to 2025-12-21 (two-week check from v0.2) and capture SIG verification status + open deltas.
|
|
|
|
## Actions & timeline (v0.2 refresh)
|
|
- T0 (2025-12-08): adopt SOP + field map; create delta report template; preflight cache paths.
|
|
- T0+2d (2025-12-10): run backlog reprocess, publish artefacts + hashes for both feeds; capture unsigned counts and retry reasons.
|
|
- T0+14d (2025-12-21): review staleness, adjust cadence if needed; reset review date and owners.
|
|
|
|
## Artefact locations
|
|
- Normalized advisories: `out/feeds/icscisa-kisa/<YYYYMMDD>/advisories.ndjson`
|
|
- Fetch log + hashes: `out/feeds/icscisa-kisa/<YYYYMMDD>/fetch.log`, `hashes.sha256`
|
|
- Delta report: `out/feeds/icscisa-kisa/<YYYYMMDD>/delta.json`
|
|
- Provenance note: `docs/modules/concelier/feeds/icscisa-kisa-provenance.md`
|
|
|
|
## Risks & mitigations
|
|
- Source downtime -> mirror last good snapshot; retry daily for 3 days.
|
|
- Missing signatures -> record `signature=null`, log `skip_reason` in provenance note; do not infer validity.
|
|
- Schema drift -> treat as new fields, store raw, add to field map after review (no drop).
|