stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
7600caea632e9e44571bc1661003948a5e1d22fb
git.stella-ops.org/docs/modules/concelier/operations/connectors/osv.md
master 7b5bdcf4d3 feat(docs): Add comprehensive documentation for Vexer, Vulnerability Explorer, and Zastava modules 
- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes.
- Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes.
- Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables.
- Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.
2025-10-30 00:09:39 +02:00

2.3 KiB
Raw Blame History

Concelier OSV Connector Operations Notes

Last updated: 2025-10-16

The OSV connector ingests advisories from OSV.dev across OSS ecosystems. This note highlights the additional merge/export expectations introduced with the canonical metric fallback work in Sprint 4.

1. Canonical metric fallbacks

  • When OSV omits CVSS vectors (common for CVSS v4-only payloads) the mapper now emits a deterministic canonical metric id in the form osv:severity/<level> and normalises the advisory severity to the same <level>.
  • Metric: osv.map.canonical_metric_fallbacks (counter) with tags severity, canonical_metric_id, ecosystem, reason=no_cvss. Watch this alongside merge parity dashboards to catch spikes where OSV publishes severity-only advisories.
  • Merge precedence still prefers GHSA over OSV; the shared severity-based canonical id keeps Merge/export parity deterministic even when only OSV supplies severity data.

2. CWE provenance

  • database_specific.cwe_ids now populates provenance decision reasons for every mapped weakness. Expect decisionReason="database_specific.cwe_ids" on OSV weakness provenance and confirm exporters preserve the value.
  • If OSV ever attaches database_specific.cwe_notes, the connector will surface the joined note string in decisionReason instead of the default marker.

3. Dashboards & alerts

  • Extend existing merge dashboards with the new counter:
    • Overlay sum(osv.map.canonical_metric_fallbacks{ecosystem=~".+"}) with Merge severity overrides to confirm fallback advisories are reconciling cleanly.
    • Alert when the 1-hour sum exceeds 50 for any ecosystem; baseline volume is currently <5 per day (mostly GHSA mirrors emitting CVSS v4 only).
  • Exporters already surface canonicalMetricId; no schema change is required, but ORAS/Trivy bundles should be spot-checked after deploying the connector update.

4. Runbook updates

  • Fixture parity suites (osv-ghsa.*) now assert the fallback id and provenance notes. Regenerate via dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests/StellaOps.Concelier.Connector.Osv.Tests.csproj.
  • When investigating merge severity conflicts, include the fallback counter and confirm OSV advisories carry the expected osv:severity/<level> id before raising connector bugs.