Files

master 726d70dc7f tests fixes and sprints work

2026-01-22 19:08:46 +02:00

14 KiB

Raw Blame History

Complete Module Matrix

This document provides a comprehensive inventory of all 46+ modules in the StellaOps platform. Module build entry points are the module solutions listed in docs/dev/SOLUTION_BUILD_GUIDE.md.

1. Module Count Explanation
2. Complete Module Inventory
3. Module Categories
4. Service Deployment Matrix
5. Module Dependencies

1. Module Count Explanation

The solution contains 46 top-level modules in src/. The architecture documentation covers the ~35 core user-facing modules, while the remaining modules fall into:

Category	Count	Description
Core Platform	4	Authority, Gateway, Router, Platform
Data Ingestion	7	Concelier, Excititor, VexLens, VexHub, IssuerDirectory, Feedser, Mirror
Scanning & Analysis	5	Scanner, BinaryIndex, AdvisoryAI, Symbols, ReachGraph
Artifacts & Evidence	7	Attestor, Signer, SbomService, EvidenceLocker, ExportCenter, Provenance, Provcache
Policy & Risk	4	Policy, RiskEngine, VulnExplorer, Unknowns
Operations	8	Scheduler, Orchestrator, TaskRunner, Notify, Notifier, PacksRegistry, TimelineIndexer, Replay
Integration	5	CLI, Zastava, Web, API, Registry
Infrastructure	6	Cryptography, Telemetry, Graph, Signals, AirGap, AOC
Testing & Benchmarks	2	Benchmark, Bench
Utility & Internal	6+	Cartographer, Findings, SrmRemote, Tools, PluginBinaries, etc.

2. Complete Module Inventory

Core Platform (4 modules)

Module	Path	Purpose	WebService	Worker	Storage
Authority	`src/Authority/`	Authentication, authorization, OAuth/OIDC, DPoP, tenant management	Yes	No	PostgreSQL (`authority`)
Gateway	`src/Gateway/`	API gateway with routing, TLS termination, transport abstraction	Yes	No	Stateless
Router	`src/Router/`	Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey)	Yes	No	Valkey
Platform	`src/Platform/`	Platform Service aggregation APIs, console data composition	Yes	No	Aggregates

Data Ingestion (7 modules)

Module	Path	Purpose	WebService	Worker	Storage
Concelier	`src/Concelier/`	Vulnerability advisory ingestion (NVD, OSV, GHSA, CSAF), merge engine with AOC	Yes	Yes	PostgreSQL (`vuln`)
Excititor	`src/Excititor/`	VEX document ingestion and export (OpenVEX, CSAF VEX)	Yes	Yes	PostgreSQL (`vex`)
VexLens	`src/VexLens/`	VEX consensus computation across issuers, conflict analysis	Yes	No	PostgreSQL (cache)
VexHub	`src/VexHub/`	VEX distribution and exchange hub	Yes	No	PostgreSQL
IssuerDirectory	`src/IssuerDirectory/`	Issuer trust registry for CSAF publishers	Yes	No	PostgreSQL
Feedser	`src/Feedser/`	Evidence collection library for backport detection	Library	N/A	N/A
Mirror	`src/Mirror/`	Vulnerability feed mirror and distribution	Yes	Yes	RustFS

Scanning & Analysis (5 modules)

Module	Path	Purpose	WebService	Worker	Storage
Scanner	`src/Scanner/`	Container scanning with SBOM generation (11 language analyzers), call graphs	Yes	Yes	PostgreSQL (`scanner`) + RustFS
BinaryIndex	`src/BinaryIndex/`	Binary identity extraction and fingerprinting	Yes	No	PostgreSQL
AdvisoryAI	`src/AdvisoryAI/`	AI-assisted advisory analysis and summarization	Yes	No	PostgreSQL
Symbols	`src/Symbols/`	Symbol resolution and debug information	Yes	No	PostgreSQL
ReachGraph	`src/ReachGraph/`	Reachability graph service, CVE reachability analysis	Yes	No	PostgreSQL

Artifacts & Evidence (7 modules)

Module	Path	Purpose	WebService	Worker	Storage
Attestor	`src/Attestor/`	in-toto/DSSE attestation generation, Rekor v2 integration	Yes	No	PostgreSQL + RustFS
Signer	`src/Signer/`	Cryptographic signing operations (PKIX, DSSE)	Yes	No	PostgreSQL
SbomService	`src/SbomService/`	SBOM storage, versioning, and lineage ledger	Yes	No	PostgreSQL + RustFS
EvidenceLocker	`src/EvidenceLocker/`	Sealed evidence storage and export	Yes	No	RustFS
ExportCenter	`src/ExportCenter/`	Batch export and report generation (SARIF, SBOM, evidence bundles)	Yes	No	RustFS
Provenance	`src/Provenance/`	SLSA/DSSE attestation tooling	Library	N/A	N/A
Provcache	Library	Provenance cache utilities	Library	N/A	N/A

Policy & Risk (4 modules)

Module	Path	Purpose	WebService	Worker	Storage
Policy	`src/Policy/`	Policy engine with K4 lattice logic, confidence scoring, VEX emission	Yes	Yes	PostgreSQL (`policy`)
RiskEngine	`src/RiskEngine/`	Risk scoring runtime with pluggable providers	Yes	No	PostgreSQL
VulnExplorer	`src/VulnExplorer/`	Vulnerability exploration and triage UI backend	Yes	No	PostgreSQL (cache)
Unknowns	`src/Unknowns/`	Unknown component and symbol tracking registry	Yes	No	PostgreSQL

Operations (8 modules)

Module	Path	Purpose	WebService	Worker	Storage
Scheduler	`src/Scheduler/`	Job scheduling and queue management, cron-based rescan	Yes	No	PostgreSQL (`scheduler`)
Orchestrator	`src/Orchestrator/`	Workflow orchestration and task coordination	Yes	No	PostgreSQL (`orchestrator`)
TaskRunner	`src/TaskRunner/`	Task pack execution engine	Yes	Yes	PostgreSQL
Notify	`src/Notify/`	Notification toolkit (Email, Slack, Teams, Webhooks) - shared libraries	Library	N/A	N/A
Notifier	`src/Notifier/`	Notifications Studio host (WebService + Worker)	Yes	Yes	PostgreSQL (`notify`)
PacksRegistry	`src/PacksRegistry/`	Task packs registry and distribution	Yes	No	PostgreSQL
TimelineIndexer	`src/TimelineIndexer/`	Timeline event indexing for audit trails	Yes	No	PostgreSQL
Replay	`src/Replay/`	Deterministic replay engine	Yes	No	PostgreSQL

Integration (5 modules)

Module	Path	Purpose	WebService	Worker	Storage
CLI	`src/Cli/`	Command-line interface (Native AOT, multi-platform)	CLI	N/A	N/A
Zastava	`src/Zastava/`	Container registry webhook observer, admission control	Yes	No	PostgreSQL
Web	`src/Web/`	Angular 17 frontend SPA	Static	N/A	N/A
API	`src/Api/`	OpenAPI contracts and governance	Library	N/A	N/A
Registry	`src/Registry/`	Container registry integration, token service	Yes	No	PostgreSQL

Infrastructure (6 modules)

Module	Path	Purpose	WebService	Worker	Storage
Cryptography	`src/Cryptography/`	Crypto plugins (FIPS, eIDAS, GOST, SM, PQ)	Library	N/A	N/A
Telemetry	`src/Telemetry/`	OpenTelemetry traces, metrics, logging	Library	N/A	N/A
Graph	`src/Graph/`	Call graph and reachability data structures	Library	N/A	N/A
Signals	`src/Signals/`	Runtime signal collection and correlation	Library	N/A	N/A
AirGap	`src/AirGap/`	Air-gapped deployment support, Offline Kit bundling	Yes	Yes	RustFS
AOC	`src/Aoc/`	Append-Only Contract enforcement (Roslyn analyzers)	Library	N/A	N/A

Testing & Benchmarks (2 modules)

Module	Path	Purpose	WebService	Worker	Storage
Benchmark	Scanner library	Competitive benchmarking (accuracy comparison)	Tool	N/A	N/A
Bench	`src/Bench/`	Performance benchmarks	Tool	N/A	N/A

Utility & Internal (6+ modules)

Module	Path	Purpose	Notes
Cartographer	`src/Cartographer/`	Identity graphs from SBOM/advisory data	Feeds Graph Explorer
Findings	`src/Findings/`	Materializes effective findings from Policy outputs	Feeds UI/CLI/Notify
SrmRemote	`src/SrmRemote/`	SBOM remote operations	Integration utility
Tools	`src/Tools/`	Utility programs (fixture generators, migration scripts)	Dev tooling
PluginBinaries	Various	Authority and Concelier plugin binaries	Plugin hosting
DevPortal	`src/DevPortal/`	Developer onboarding portal	Documentation

3. Module Categories

By Runtime Type

Type	Modules
WebService + Worker	Scanner, Concelier, Excititor, Policy, Notifier, TaskRunner, AirGap, Mirror
WebService Only	Authority, Gateway, Router, Platform, VexLens, VexHub, IssuerDirectory, BinaryIndex, AdvisoryAI, Symbols, ReachGraph, Attestor, Signer, SbomService, EvidenceLocker, ExportCenter, RiskEngine, VulnExplorer, Unknowns, Scheduler, Orchestrator, PacksRegistry, TimelineIndexer, Replay, Zastava, Registry
Library	Feedser, Provenance, Provcache, Notify, API, Cryptography, Telemetry, Graph, Signals, AOC
CLI/Tool	CLI, Benchmark, Bench, Tools
Static	Web (Angular SPA)

By Data Store

Store	Modules
PostgreSQL	Authority, Concelier, Excititor, VexLens, VexHub, IssuerDirectory, Scanner, BinaryIndex, AdvisoryAI, Symbols, ReachGraph, Attestor, Signer, SbomService, Policy, RiskEngine, VulnExplorer, Unknowns, Scheduler, Orchestrator, TaskRunner, Notifier, PacksRegistry, TimelineIndexer, Replay, Zastava, Registry
RustFS (S3)	Scanner, Attestor, SbomService, EvidenceLocker, ExportCenter, AirGap, Mirror
Valkey	Gateway, Router, Scanner, Policy, Scheduler, Notifier (for queues/cache)
Stateless	Gateway, Platform, CLI, Web

By Communication Pattern

Pattern	Modules
HTTP REST	All WebService modules
Binary Frame (Router)	Gateway to all backend services
Event Streams (Valkey/NATS)	Scanner, Concelier, Excititor, Policy, Scheduler, Notifier
Direct Library	All Library modules

4. Service Deployment Matrix

Service	Container Image	Replicas	Storage	Queue	Observable
Authority	`stellaops/authority`	2+	PostgreSQL	Valkey (DPoP)	Yes
Gateway	`stellaops/gateway`	2+	Stateless	-	Yes
Scanner.Web	`stellaops/scanner-web`	2+	PostgreSQL + RustFS	-	Yes
Scanner.Worker	`stellaops/scanner-worker`	N	RustFS	Valkey/NATS	Yes
Concelier.Web	`stellaops/concelier-web`	2+	PostgreSQL	-	Yes
Concelier.Worker	`stellaops/concelier-worker`	N	PostgreSQL	Valkey/NATS	Yes
Policy.Engine	`stellaops/policy-engine`	2+	PostgreSQL	Valkey	Yes
Policy.Worker	`stellaops/policy-worker`	N	PostgreSQL	Valkey	Yes
Scheduler	`stellaops/scheduler`	2+	PostgreSQL	Valkey	Yes
Notifier	`stellaops/notifier`	2+	PostgreSQL	Valkey	Yes
ExportCenter	`stellaops/export-center`	2+	RustFS	-	Yes
Web (UI)	`stellaops/web`	2+	Static	-	Yes

5. Module Dependencies

Core Dependency Graph

                                    +-------------+
                                    |  Authority  |
                                    +------+------+
                                           |
              +----------------------------+----------------------------+
              |                            |                            |
              v                            v                            v
        +----------+                 +----------+                 +----------+
        |  Gateway |---------------->|  Scanner |---------------->|  Policy  |
        +----+-----+                 +----+-----+                 +----+-----+
             |                            |                            |
             |                            v                            v
             |                      +----------+                 +----------+
             |                      | Concelier|                 |   Signer |
             |                      +----+-----+                 +----+-----+
             |                            |                            |
             |                            v                            v
             |                      +----------+                 +----------+
             |                      | Excititor|                 |  Attestor|
             |                      +----------+                 +----------+
             |
             v
        +----------+
        |    UI    |
        +----------+

Key Integration Points

From	To	Integration
Gateway	Authority	Token validation (JWKS)
Gateway	All Services	Binary frame routing
Scanner	Signer	SBOM signing
Scanner	Attestor	in-toto attestation
Policy	Concelier	Advisory data (read-only)
Policy	Excititor	VEX data (read-only)
Policy	Scanner	SBOM data (read-only)
Scheduler	Scanner	Trigger rescans
Scheduler	Concelier	Observe advisory deltas
Notifier	All Services	Consume events

14 KiB Raw Blame History