stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
6e00a48e00da3b2cfbd976a53254275fa63583a6
git.stella-ops.org/docs/features/checked/platform/sbom-analytics-lake.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

3.4 KiB
Raw Blame History

SBOM Analytics Lake (Star-Schema PostgreSQL)

Module

Platform

Status

VERIFIED

Description

Star-schema PostgreSQL analytics layer for SBOM data with component registry, vulnerability correlation tables, attestation tracking, materialized views for trend analysis, and stored procedures for analytics queries. While "Materialized Views for Analytics" is in the known list, this is a much broader star-schema analytics subsystem with dedicated migration, ingestion services, and multi-table analytics design.

Implementation Details

  • AnalyticsIngestionService: src/Platform/StellaOps.Platform.Analytics/Services/AnalyticsIngestionService.cs -- BackgroundService subscribing to orchestrator scanner-report-ready events (OrchestratorEventKinds.ScannerReportReady / scanner.event.report.ready) via IEventStream; parses SBOM (CycloneDX/SPDX), resolves artifact digests, upserts into star-schema tables (analytics.artifacts, analytics.raw_sboms, analytics.components, analytics.artifact_components), and builds dependency paths via BFS from root component.
  • VulnerabilityCorrelationService: src/Platform/StellaOps.Platform.Analytics/Services/VulnerabilityCorrelationService.cs -- correlates PURL-based components with known vulnerabilities; updates artifact vulnerability counts
  • AttestationIngestionService: src/Platform/StellaOps.Platform.Analytics/Services/AttestationIngestionService.cs -- ingests attestation events into analytics
  • Utilities: PurlParser (PURL normalization), LicenseExpressionRenderer (license aggregation), Sha256Hasher (digest computation), TenantNormalizer (tenant filtering), VersionRuleEvaluator, VulnerabilityCorrelationRules
  • AnalyticsIngestionOptions: src/Platform/StellaOps.Platform.Analytics/Options/AnalyticsIngestionOptions.cs -- configurable stream names, tenant allowlists, ingest/schema versions
  • Tests: src/Platform/__Tests/StellaOps.Platform.Analytics.Tests/
  • Source: SPRINT_20260120_030_Platform_sbom_analytics_lake.md

E2E Test Plan

  • Verify SBOM ingestion from scanner scanner-report-ready events (scanner.event.report.ready) populates all star-schema tables
  • Test component deduplication via (purl, hash_sha256) conflict resolution
  • Verify dependency path BFS builds correct depth and introduced_via values
  • Test vulnerability correlation updates component and artifact vulnerability counts
  • Verify daily rollup stored procedure computes correct aggregates
  • Test tenant filtering respects AllowedTenants configuration

Verification

  • Verified on 2026-02-11 with run-001.
  • Tier 0 source checks confirmed ingestion services/options/test surfaces and dependency-path builders are present.
  • Tier 1 build + focused analytics class checks passed (64/64).
  • Tier 2 integration behavior checks passed (171/171) across schema integration, ingestion helpers, vulnerability-correlation rules, and tenant normalization behavior.
  • Tier 0 reported partial only because utility source paths in this dossier still used Services/ names while active implementations are under src/Platform/StellaOps.Platform.Analytics/Utilities/.
  • Evidence:
    • docs/qa/feature-checks/runs/platform/sbom-analytics-lake/run-001/tier0-source-check.json
    • docs/qa/feature-checks/runs/platform/sbom-analytics-lake/run-001/tier1-build-check.json
    • docs/qa/feature-checks/runs/platform/sbom-analytics-lake/run-001/tier2-integration-check.json