8768c27f30
- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties. - Implemented JSON serialization attributes for proper data interchange. - Created project files for the new signal contracts library and corresponding test projects. - Added deterministic test fixtures for micro-interaction testing. - Included cryptographic keys for secure operations with cosign.
242 lines
7.0 KiB
JSON
242 lines
7.0 KiB
JSON
{
|
|
"$id": "https://stella.ops/schema/provenance-feed.json",
|
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
"title": "ProvenanceFeed",
|
|
"description": "SGSI0101 provenance feed contract for runtime facts and signal ingestion with attestation support",
|
|
"type": "object",
|
|
"required": [
|
|
"schemaVersion",
|
|
"feedId",
|
|
"feedType",
|
|
"generatedAt",
|
|
"records"
|
|
],
|
|
"properties": {
|
|
"schemaVersion": {
|
|
"type": "integer",
|
|
"const": 1,
|
|
"description": "Schema version for compatibility"
|
|
},
|
|
"feedId": {
|
|
"type": "string",
|
|
"format": "uuid",
|
|
"description": "Unique feed generation identifier"
|
|
},
|
|
"feedType": {
|
|
"type": "string",
|
|
"enum": [
|
|
"RUNTIME_FACTS",
|
|
"SIGNAL_ENRICHMENT",
|
|
"CAS_PROMOTION",
|
|
"SCORING_OUTPUT",
|
|
"AUTHORITY_SCOPES"
|
|
],
|
|
"description": "Type of provenance feed"
|
|
},
|
|
"generatedAt": {
|
|
"type": "string",
|
|
"format": "date-time",
|
|
"description": "ISO-8601 timestamp of feed generation"
|
|
},
|
|
"sourceService": {
|
|
"type": "string",
|
|
"description": "Service that generated this feed",
|
|
"examples": ["scanner-worker", "signal-aggregator", "cas-promoter"]
|
|
},
|
|
"tenantId": {
|
|
"type": "string",
|
|
"description": "Tenant scope for multi-tenant isolation"
|
|
},
|
|
"correlationId": {
|
|
"type": "string",
|
|
"description": "Correlation ID for tracing across services"
|
|
},
|
|
"records": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/$defs/ProvenanceRecord"
|
|
},
|
|
"description": "Provenance records in this feed"
|
|
},
|
|
"metadata": {
|
|
"type": "object",
|
|
"additionalProperties": {
|
|
"type": "string"
|
|
},
|
|
"description": "Additional feed metadata"
|
|
},
|
|
"attestation": {
|
|
"$ref": "#/$defs/FeedAttestation",
|
|
"description": "Attestation covering this feed"
|
|
}
|
|
},
|
|
"$defs": {
|
|
"ProvenanceRecord": {
|
|
"type": "object",
|
|
"required": ["recordId", "recordType", "subject", "occurredAt"],
|
|
"properties": {
|
|
"recordId": {
|
|
"type": "string",
|
|
"format": "uuid",
|
|
"description": "Unique record identifier"
|
|
},
|
|
"recordType": {
|
|
"type": "string",
|
|
"description": "Type of provenance record",
|
|
"examples": [
|
|
"runtime.process.observed",
|
|
"runtime.network.connection",
|
|
"runtime.file.access",
|
|
"signal.cache.available",
|
|
"signal.enrichment.applied",
|
|
"cas.promotion.completed",
|
|
"scoring.output.generated"
|
|
]
|
|
},
|
|
"subject": {
|
|
"$ref": "#/$defs/ProvenanceSubject",
|
|
"description": "Subject of this provenance record"
|
|
},
|
|
"occurredAt": {
|
|
"type": "string",
|
|
"format": "date-time",
|
|
"description": "When this event occurred"
|
|
},
|
|
"observedBy": {
|
|
"type": "string",
|
|
"description": "Agent/sensor that observed this record"
|
|
},
|
|
"confidence": {
|
|
"type": "number",
|
|
"minimum": 0,
|
|
"maximum": 1,
|
|
"description": "Confidence score (0.0 - 1.0)"
|
|
},
|
|
"facts": {
|
|
"type": "object",
|
|
"additionalProperties": true,
|
|
"description": "Type-specific facts for this record"
|
|
},
|
|
"evidence": {
|
|
"$ref": "#/$defs/RecordEvidence",
|
|
"description": "Evidence supporting this record"
|
|
}
|
|
}
|
|
},
|
|
"ProvenanceSubject": {
|
|
"type": "object",
|
|
"required": ["type", "identifier"],
|
|
"properties": {
|
|
"type": {
|
|
"type": "string",
|
|
"enum": ["CONTAINER", "PROCESS", "PACKAGE", "FILE", "NETWORK", "IMAGE"],
|
|
"description": "Type of subject"
|
|
},
|
|
"identifier": {
|
|
"type": "string",
|
|
"description": "Subject identifier (image ref, package PURL, etc.)"
|
|
},
|
|
"digest": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$",
|
|
"description": "Subject content digest if applicable"
|
|
},
|
|
"namespace": {
|
|
"type": "string",
|
|
"description": "Namespace context (k8s namespace, etc.)"
|
|
}
|
|
}
|
|
},
|
|
"RecordEvidence": {
|
|
"type": "object",
|
|
"properties": {
|
|
"sourceDigest": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$",
|
|
"description": "Digest of evidence source"
|
|
},
|
|
"captureMethod": {
|
|
"type": "string",
|
|
"enum": ["eBPF", "PROC_SCAN", "API_CALL", "LOG_ANALYSIS", "STATIC_ANALYSIS"],
|
|
"description": "How evidence was captured"
|
|
},
|
|
"rawDataRef": {
|
|
"type": "string",
|
|
"format": "uri",
|
|
"description": "Reference to raw evidence data"
|
|
}
|
|
}
|
|
},
|
|
"FeedAttestation": {
|
|
"type": "object",
|
|
"required": ["predicateType", "signedAt"],
|
|
"properties": {
|
|
"predicateType": {
|
|
"type": "string",
|
|
"format": "uri",
|
|
"description": "in-toto predicate type",
|
|
"examples": ["https://stella.ops/attestation/provenance-feed/v1"]
|
|
},
|
|
"signedAt": {
|
|
"type": "string",
|
|
"format": "date-time",
|
|
"description": "When the attestation was signed"
|
|
},
|
|
"keyId": {
|
|
"type": "string",
|
|
"description": "Signing key identifier"
|
|
},
|
|
"envelopeDigest": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$",
|
|
"description": "DSSE envelope digest"
|
|
},
|
|
"transparencyLog": {
|
|
"type": "string",
|
|
"format": "uri",
|
|
"description": "Transparency log entry (Rekor)"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"examples": [
|
|
{
|
|
"schemaVersion": 1,
|
|
"feedId": "550e8400-e29b-41d4-a716-446655440000",
|
|
"feedType": "RUNTIME_FACTS",
|
|
"generatedAt": "2025-11-21T10:00:00Z",
|
|
"sourceService": "scanner-worker",
|
|
"tenantId": "acme-corp",
|
|
"correlationId": "scan-job-12345",
|
|
"records": [
|
|
{
|
|
"recordId": "660e8400-e29b-41d4-a716-446655440001",
|
|
"recordType": "runtime.process.observed",
|
|
"subject": {
|
|
"type": "CONTAINER",
|
|
"identifier": "registry.example.com/app:v1.2.3",
|
|
"digest": "sha256:7d9cd5f1a2a0dd9a41a2c43a5b7d8a0bcd9e34cf39b3f43a70595c834f0a4aee"
|
|
},
|
|
"occurredAt": "2025-11-21T09:55:00Z",
|
|
"observedBy": "ebpf-agent",
|
|
"confidence": 0.95,
|
|
"facts": {
|
|
"processName": "python3",
|
|
"execPath": "/usr/bin/python3",
|
|
"loadedLibraries": ["libssl.so.1.1", "libcrypto.so.1.1"]
|
|
},
|
|
"evidence": {
|
|
"captureMethod": "eBPF",
|
|
"rawDataRef": "s3://evidence-bucket/runtime/12345.json"
|
|
}
|
|
}
|
|
],
|
|
"attestation": {
|
|
"predicateType": "https://stella.ops/attestation/provenance-feed/v1",
|
|
"signedAt": "2025-11-21T10:00:01Z",
|
|
"keyId": "scanner-signing-key-001"
|
|
}
|
|
}
|
|
]
|
|
}
|