stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
885ce86af47f000b1f8e5e44b9b2ab919c1f2021
git.stella-ops.org/ops/devops/vuln/vuln-explorer-ci-plan.md
StellaOps Bot 885ce86af4
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
feat: Add VEX Lens CI and Load Testing Plan 
- Introduced a comprehensive CI job structure for VEX Lens, including build, test, linting, and load testing.
- Defined load test parameters and SLOs for VEX Lens API and Issuer Directory.
- Created Grafana dashboards and alerting mechanisms for monitoring API performance and error rates.
- Established offline posture guidelines for CI jobs and load testing.

feat: Implement deterministic projection verification script

- Added `verify_projection.sh` script for verifying the integrity of projection exports against expected hashes.
- Ensured robust error handling for missing files and hash mismatches.

feat: Develop Vuln Explorer CI and Ops Plan

- Created CI jobs for Vuln Explorer, including build, test, and replay verification.
- Implemented backup and disaster recovery strategies for MongoDB and Redis.
- Established Merkle anchoring verification and automation for ledger projector.

feat: Introduce EventEnvelopeHasher for hashing event envelopes

- Implemented `EventEnvelopeHasher` to compute SHA256 hashes for event envelopes.

feat: Add Risk Store and Dashboard components

- Developed `RiskStore` for managing risk data and state.
- Created `RiskDashboardComponent` for displaying risk profiles with filtering capabilities.
- Implemented unit tests for `RiskStore` and `RiskDashboardComponent`.

feat: Enhance Vulnerability Detail Component

- Developed `VulnerabilityDetailComponent` for displaying detailed information about vulnerabilities.
- Implemented error handling for missing vulnerability IDs and loading failures.
2025-12-02 07:18:28 +02:00

2.9 KiB
Raw Blame History

Vuln Explorer CI + Ops Plan (DEVOPS-VULN-29-001)

Scope: CI jobs, backup/DR, Merkle anchoring monitoring, and verification automation for the Vuln Explorer ledger projector and API. Assumptions: Vuln Explorer API uses MongoDB + Redis; ledger projector performs replay into materialized views; Merkle tree anchoring to transparency log.

CI Jobs

  • build-vuln: dotnet restore/build for src/VulnExplorer/StellaOps.VulnExplorer.Api and projector; use DOTNET_DISABLE_BUILTIN_GRAPH=1 and local-nugets/.
  • test-vuln: focused tests with dotnet test src/VulnExplorer/__Tests/... and --filter Category!=GraphHeavy; publish TRX + coverage.
  • replay-smoke: run projector against fixture event log (samples/vuln/events/replay.ndjson) and assert deterministic materialized view hash; fail on divergence.
  • sbom+attest: reuse ops/devops/docker/sbom_attest.sh post-build.

Backup & DR

  • Mongo: enable point-in-time snapshots (if available) or nightly mongodump of vuln_explorer db; store in object storage with retention 30d.
  • Redis (if used for cache): not authoritative; no backup required.
  • Replay-first recovery: keep latest event log snapshot in release artifacts; replay task rehydrates materialized views.

Merkle Anchoring Verification

  • Monitor projector metrics: ledger_projection_lag_seconds, ledger_projection_errors_total.
  • Add periodic job verify-merkle: fetch latest Merkle root from projector state, cross-check against transparency log (rekor or configured log) using cosign verify-tree or custom verifier.
  • Alert when last anchored root age > 15m or mismatch detected.

Verification Automation

  • Script ops/devops/vuln/verify_projection.sh (to be added) should:
    • Run projector against fixture events and compute hash of materialized view snapshot (sha256sum over canonical JSON export).
    • Compare with expected hash stored in ops/devops/vuln/expected_projection.sha256.
    • Exit non-zero on mismatch.

Fixtures

  • Store deterministic replay fixture under samples/vuln/events/replay.ndjson (generated offline, includes mixed tenants, disputed findings, remediation states).
  • Export canonical projection snapshot to samples/vuln/events/projection.json and hash to ops/devops/vuln/expected_projection.sha256.

Dashboards / Alerts (DEVOPS-VULN-29-002/003)

  • Dashboard panels: projection lag, replay throughput, API latency (/findings, /findings/{id}), query budget enforcement hits, and Merkle anchoring status.
  • Alerts: vuln_projection_lag_gt_60s, vuln_projection_error_rate_gt_1pct, vuln_api_latency_p95_gt_300ms, merkle_anchor_stale_gt_15m.

Offline posture

  • CI and verification use in-repo fixtures; no external downloads.
  • Use mirrored images and local-nugets/ for all builds/tests.

Local run

DOTNET_DISABLE_BUILTIN_GRAPH=1 dotnet test src/VulnExplorer/__Tests/StellaOps.VulnExplorer.Api.Tests/StellaOps.VulnExplorer.Api.Tests.csproj --filter Category!=GraphHeavy