stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
7e7be4d2fd30491b9fba6a9236af08fe1e9fd143
git.stella-ops.org/docs/product-advisories/ADVISORY_INDEX.md
StellaOps Bot b34f13dc03 up
2025-11-29 02:19:50 +02:00

14 KiB
Raw Blame History

Product Advisory Index

This index consolidates the November 2025 product advisories, identifying canonical documents and duplicates.

Canonical Advisories (Active)

These are the authoritative advisories to reference for implementation:

CVSS v4.0

  • Canonical: 25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md
  • Sprint: SPRINT_0190_0001_0001_cvss_v4_receipts.md
  • Status: New sprint created

SBOM/VEX Pipeline

  • Canonical: 27-Nov-2025 - Deep Architecture Brief - SBOMFirst, VEXReady Spine.md
  • Sprint: SPRINT_0186_0001_0001_record_deterministic_execution.md (tasks 15a-15f)
  • Supersedes:
    • 24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md → archive
    • 25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md → archive
    • 26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md → archive

Rekor/DSSE Batch Sizing

  • Canonical: 26-Nov-2025 - Handling Rekor v2 and DSSE AirGap Limits.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (DSSE tasks)
  • Supersedes:
    • 27-Nov-2025 - Rekor Envelope Size Heuristic.md → archive (duplicate)
    • 27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md → archive (duplicate)
    • 27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md → archive (duplicate)

Graph Revision IDs

  • Canonical: 26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (existing tasks)
  • Supersedes:
    • 25-Nov-2025 - HashStable Graph Revisions Across Systems.md → archive (earlier version)

Reachability Benchmark (Public)

  • Canonical: 24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md
  • Sprint: SPRINT_0513_0001_0001_public_reachability_benchmark.md
  • Related:
    • 26-Nov-2025 - Opening Up a Reachability Dataset.md → complementary (dataset focus)

Unknowns Registry

  • Canonical: 27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md
  • Sprint: SPRINT_0140_0001_0001_runtime_signals.md (existing implementation)
  • Extends: archived/18-Nov-2025 - Unknowns-Registry.md
  • Status: Already implemented in Signals module; advisory validates design

Confidence Decay for Prioritization

  • Canonical: 25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md
  • Sprint: SPRINT_0140_0001_0001_runtime_signals.md (integration point)
  • Related: Unknowns Registry (time-based decay complements ambiguity tracking)
  • Status: Design advisory - provides exponential decay formula for priority freshness

Explainability

  • Canonical (Graphs): 27-Nov-2025 - Making Graphs Understandable to Humans.md
  • Canonical (Verdicts): 27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (UI-CLI tasks)
  • Status: Complementary advisories - graphs cover edge reasons, verdicts cover audit trails

VEX Proofs

  • Canonical: 25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (POLICY-VEX tasks)

Binary Reachability

  • Canonical: 27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md
  • Sprint: SPRINT_0401_0001_0001_reachability_evidence_chain.md (GRAPH-HYBRID tasks)

Scanner Roadmap

  • Canonical: 27-Nov-2025 - Blueprint for a 2026Ready Scanner.md
  • Sprint: Multiple sprints (0186, 0401, 0512)
  • Status: High-level roadmap document

Vulnerability Triage UX & VEX-First Decisioning

  • Canonical: 28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md
  • Sprint: SPRINT_0215_0001_0001_vuln_triage_ux.md (NEW)
  • Related Sprints:
    • SPRINT_210_ui_ii.md (UI-LNM-22-003 VEX tab)
    • SPRINT_0334_docs_modules_vuln_explorer.md (docs)
  • Related Advisories:
    • 27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md (evidence chain)
    • 27-Nov-2025 - Making Graphs Understandable to Humans.md (graph UX)
    • 25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md (VEX proofs)
  • Status: New - defines converged triage UX across Snyk/GitLab/Harbor/Anchore patterns
  • Schemas:
    • docs/schemas/vex-decision.schema.json
    • docs/schemas/attestation-vuln-scan.schema.json
    • docs/schemas/audit-bundle-index.schema.json

Sovereign Crypto for Regional Compliance

  • Canonical: 28-Nov-2025 - Sovereign Crypto for Regional Compliance.md
  • Sprint: SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (EXISTING)
  • Related Docs:
    • docs/security/rootpack_ru_*.md - RootPack RU documentation
    • docs/security/crypto-registry-decision-2025-11-18.md - Registry design
    • docs/security/pq-provider-options.md - Post-quantum options
  • Status: Fills HIGH-priority gap - covers eIDAS, FIPS, GOST, SM algorithm support
  • Compliance: EU (eIDAS), US (FIPS 140-2/3), Russia (GOST), China (SM2/3/4)

Plugin Architecture & Extensibility

  • Canonical: 28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md
  • Sprint: Foundational - appears in module-specific sprints
  • Related Docs:
    • docs/dev/plugins/README.md - General plugin guide
    • docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md - Concelier connectors
    • docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md - Authority plugins
    • docs/modules/scanner/guides/surface-validation-extensibility.md - Scanner extensibility
  • Status: Fills MEDIUM-priority gap - consolidates extensibility patterns across modules

Evidence Bundle & Replay Contracts

  • Canonical: 29-Nov-2025 - Evidence Bundle and Replay Contracts.md
  • Sprint: SPRINT_0161_0001_0001_evidencelocker.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0187_0001_0001_evidence_locker_cli_integration.md (CLI)
    • SPRINT_0160_0001_0001_export_evidence.md (Coordination)
  • Related Docs:
    • docs/modules/evidence-locker/bundle-packaging.md - Bundle spec
    • docs/modules/evidence-locker/attestation-contract.md - DSSE contract
    • docs/modules/evidence-locker/replay-payload-contract.md - Replay schema
  • Status: Fills HIGH-priority gap - covers deterministic bundles, attestations, replay, incident mode

Mirror & Offline Kit Strategy

  • Canonical: 29-Nov-2025 - Mirror and Offline Kit Strategy.md
  • Sprint: SPRINT_0125_0001_0001 (Mirror Bundles)
  • Related Sprints:
    • SPRINT_0150_0001_0001 (DSSE/Time Anchors)
    • SPRINT_0150_0001_0002 (Time Anchors)
    • SPRINT_0150_0001_0003 (Orchestrator Hooks)
  • Related Docs:
    • docs/modules/mirror/dsse-tuf-profile.md - DSSE/TUF spec
    • docs/modules/mirror/thin-bundle-assembler.md - Thin bundle spec
    • docs/airgap/time-anchor-schema.json - Time anchor schema
  • Status: Fills HIGH-priority gap - covers thin bundles, DSSE/TUF signing, time anchoring

Task Pack Orchestration & Automation

  • Canonical: 29-Nov-2025 - Task Pack Orchestration and Automation.md
  • Sprint: SPRINT_0157_0001_0001_taskrunner_i.md (PRIMARY)
  • Related Sprints:
    • SPRINT_0158_0001_0002_taskrunner_ii.md (Phase II)
    • SPRINT_0157_0001_0002_taskrunner_blockers.md (Blockers)
  • Related Docs:
    • docs/task-packs/spec.md - Pack manifest specification
    • docs/task-packs/authoring-guide.md - Authoring workflow
    • docs/task-packs/registry.md - Registry architecture
  • Status: Fills HIGH-priority gap - covers pack DSL, approvals, evidence capture

Authentication & Authorization Architecture

  • Canonical: 29-Nov-2025 - Authentication and Authorization Architecture.md
  • Sprint: Multiple (see below)
  • Related Sprints:
    • SPRINT_100_identity_signing.md (CLOSED - historical)
    • SPRINT_314_docs_modules_authority.md (Docs)
    • SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (Crypto)
  • Related Docs:
    • docs/modules/authority/architecture.md - Module architecture
    • docs/11_AUTHORITY.md - Overview
    • docs/security/authority-scopes.md - Scope reference
    • docs/security/dpop-mtls-rollout.md - Sender constraints
  • Status: Fills HIGH-priority gap - consolidates token model, scopes, multi-tenant isolation

Files Archived

The following files have been moved to archived/27-Nov-2025-superseded/:

# Superseded by canonical advisories
24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md
25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md
25-Nov-2025 - HashStable Graph Revisions Across Systems.md
26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md
27-Nov-2025 - Rekor Envelope Size Heuristic.md
27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md
27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md

Cleanup Completed (2025-11-28)

The following issues were fixed:

  • Deleted junk file: 24-Nov-2025 - 1 copy 2.md
  • Deleted malformed duplicate: 24-Nov-2025 - Designing a Deterministic Reachability Benchmarkmd
  • Fixed filename: 25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md (was missing .md extension)

Sprint Cross-Reference

Advisory Topic Sprint ID Status
CVSS v4.0 SPRINT_0190_0001_0001 NEW
SPDX 3.0.1 / SBOM SPRINT_0186_0001_0001 AUGMENTED
Reachability Benchmark SPRINT_0513_0001_0001 NEW
Reachability Evidence SPRINT_0401_0001_0001 EXISTING
Unknowns Registry SPRINT_0140_0001_0001 IMPLEMENTED
Confidence Decay SPRINT_0140_0001_0001 DESIGN
Graph Revision IDs SPRINT_0401_0001_0001 EXISTING
DSSE/Rekor Batching SPRINT_0401_0001_0001 EXISTING
Vuln Triage UX / VEX SPRINT_0215_0001_0001 NEW
Sovereign Crypto SPRINT_0514_0001_0001 EXISTING
Plugin Architecture Multiple (module-specific) FOUNDATIONAL
Evidence Bundle & Replay SPRINT_0161_0001_0001 EXISTING
Mirror & Offline Kit SPRINT_0125_0001_0001 EXISTING
Task Pack Orchestration SPRINT_0157_0001_0001 EXISTING
Auth/AuthZ Architecture Multiple (100, 314, 0514) EXISTING

Implementation Priority

Based on gap analysis:

  1. P0 - CVSS v4.0 (Sprint 0190) - Industry moving to v4.0, genuine gap
  2. P1 - SPDX 3.0.1 (Sprint 0186 tasks 15a-15f) - Standards compliance
  3. P1 - Public Benchmark (Sprint 0513) - Differentiation/marketing value
  4. P1 - Vuln Triage UX (Sprint 0215) - Industry-aligned UX for competitive parity
  5. P1 - Sovereign Crypto (Sprint 0514) - Regional compliance enablement
  6. P1 - Evidence Bundle & Replay (Sprint 0161, 0187) - Audit/compliance critical
  7. P1 - Mirror & Offline Kit (Sprint 0125, 0150) - Air-gap deployment critical
  8. P2 - Task Pack Orchestration (Sprint 0157, 0158) - Automation foundation
  9. P2 - Explainability (Sprint 0401) - UX enhancement, existing tasks
  10. P2 - Plugin Architecture (Multiple) - Foundational extensibility patterns
  11. P2 - Auth/AuthZ Architecture (Multiple) - Security consolidation
  12. P3 - Already Implemented - Unknowns, Graph IDs, DSSE batching

Implementer Quick Reference

For each topic, the implementer should read:

  1. Sprint file - Contains task definitions, dependencies, working directories
  2. Documentation Prerequisites - Listed in each sprint file
  3. Canonical advisory - Full product context and rationale
  4. Module AGENTS.md - If exists, contains module-specific coding guidance

Key Module Docs to Read Before Implementation

Module Architecture Doc AGENTS.md
Policy docs/modules/policy/architecture.md src/Policy/*/AGENTS.md
Scanner docs/modules/scanner/architecture.md src/Scanner/*/AGENTS.md
Sbomer docs/modules/sbomer/architecture.md src/Sbomer/*/AGENTS.md
Signals docs/modules/signals/architecture.md src/Signals/*/AGENTS.md
Attestor docs/modules/attestor/architecture.md src/Attestor/*/AGENTS.md
Vuln Explorer docs/modules/vuln-explorer/architecture.md src/VulnExplorer/*/AGENTS.md
VEX-Lens docs/modules/vex-lens/architecture.md src/Excititor/*/AGENTS.md
UI docs/modules/ui/architecture.md src/UI/*/AGENTS.md
Authority docs/modules/authority/architecture.md src/Authority/*/AGENTS.md
Evidence Locker docs/modules/evidence-locker/*.md src/EvidenceLocker/*/AGENTS.md
Mirror docs/modules/mirror/*.md src/Mirror/*/AGENTS.md
TaskRunner docs/modules/taskrunner/*.md src/TaskRunner/*/AGENTS.md

Topical Gaps (Advisory Needed)

The following topics are mentioned in CLAUDE.md or module docs but lack dedicated product advisories:

Gap Severity Status Notes
Regional Crypto (eIDAS/FIPS/GOST/SM) HIGH FILLED 28-Nov-2025 - Sovereign Crypto for Regional Compliance.md
Plugin Architecture Patterns MEDIUM FILLED 28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md
Evidence Bundle Packaging HIGH FILLED 29-Nov-2025 - Evidence Bundle and Replay Contracts.md
Mirror/Offline Kit Strategy HIGH FILLED 29-Nov-2025 - Mirror and Offline Kit Strategy.md
Task Pack Orchestration HIGH FILLED 29-Nov-2025 - Task Pack Orchestration and Automation.md
Auth/AuthZ Architecture HIGH FILLED 29-Nov-2025 - Authentication and Authorization Architecture.md
CycloneDX 1.6 .NET Integration LOW Open Deep Architecture covers generically; expand with .NET-specific guidance
Findings Ledger & Audit Trail MEDIUM Open Immutable verdict tracking; module exists but no advisory
Runtime Posture & Observation MEDIUM Open Zastava runtime signals; sprints exist but no advisory
Graph Analytics & Clustering MEDIUM Open Community detection, blast-radius; implementation underway
Policy Simulation & Shadow Gates MEDIUM Open Impact modeling; extensive sprints but no contract advisory
Notification Rules Engine MEDIUM Open Throttling, digests, templating; sprints active

Known Issues (Non-Blocking)

Unicode Encoding Inconsistency: Several filenames use en-dash (U+2011) instead of regular hyphen (-). This may cause cross-platform issues but does not affect content discovery. Files affected:

  • 26-Nov-2025 - Handling Rekor v2 and DSSE AirGap Limits.md
  • 27-Nov-2025 - Blueprint for a 2026Ready Scanner.md
  • 27-Nov-2025 - Deep Architecture Brief - SBOMFirst, VEXReady Spine.md

Archived Duplicate: archived/17-Nov-2025 - SBOM-Provenance-Spine.md and archived/18-Nov-2025 - SBOM-Provenance-Spine.md are potential duplicates. The 18-Nov version is likely canonical.

Index created: 2025-11-27 Last updated: 2025-11-29