stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
90c244948a7427037e3bdb541fc6b0a27520d37f
git.stella-ops.org/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Jvn/AGENTS.md
master 90c244948a Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations. 
- Modified task status update instructions in AGENTS.md files to refer to corresponding sprint files as `/docs/implplan/SPRINT_*.md` instead of `docs/implplan/SPRINTS.md`.
- Added a comprehensive document for Secret Leak Detection operations detailing scope, prerequisites, rule bundle lifecycle, enabling the analyzer, policy patterns, observability, troubleshooting, and references.
2025-11-05 11:58:32 +02:00

3.0 KiB
Raw Blame History

AGENTS

Role

Japan JVN/MyJVN connector; national CERT enrichment with strong identifiers (JVNDB) and vendor status; authoritative only where concrete package evidence exists; otherwise enriches text, severity, references, and aliases.

Scope

  • Fetch JVNRSS (overview) and VULDEF (detail) via MyJVN API; window by dateFirstPublished/dateLastUpdated; paginate; respect rate limits.
  • Validate XML or JSON payloads; normalize titles, CVEs, JVNDB ids, vendor status, categories; map references and severity text; attach jp_flags.
  • Persist raw docs with sha256 and headers; manage source_state cursor; idempotent parse/map.

Participants

  • Source.Common (HTTP, pagination, XML or XSD validators, retries/backoff).
  • Storage.Mongo (document, dto, advisory, alias, affected (when concrete), reference, jp_flags, source_state).
  • Models (canonical Advisory/Affected/Provenance).
  • Core/WebService (jobs: source:jvn:fetch|parse|map).
  • Merge engine applies enrichment precedence (does not override distro or PSIRT ranges unless JVN gives explicit package truth).

Interfaces & contracts

  • Aliases include JVNDB-YYYY-NNNNN and CVE ids; scheme "JVNDB".
  • jp_flags: { jvndb_id, jvn_category, vendor_status }.
  • References typed: advisory/vendor/bulletin; URLs normalized and deduped.
  • Affected only when VULDEF gives concrete coordinates; otherwise omit.
  • Provenance: method=parser; kind=api; value=endpoint plus query window; recordedAt=fetched time.

In/Out of scope

In: JVN/MyJVN ingestion, aliases, jp_flags, enrichment mapping, watermarking. Out: overriding distro or PSIRT ranges without concrete evidence; scraping unofficial mirrors.

Observability & security expectations

  • Metrics: SourceDiagnostics emits concelier.source.http.* counters/histograms tagged concelier.source=jvn, enabling dashboards to track fetch requests, item counts, parse failures, and enrichment/map activity (including jp_flags) via tag filters.
  • Logs: window bounds, jvndb ids processed, vendor_status distribution; redact API keys.

Tests

  • Author and review coverage in ../StellaOps.Concelier.Connector.Jvn.Tests.
  • Shared fixtures (e.g., MongoIntegrationFixture, ConnectorTestHarness) live in ../StellaOps.Concelier.Testing.
  • Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios.

Required Reading

  • docs/modules/concelier/architecture.md
  • docs/modules/platform/architecture-overview.md

Working Agreement

    1. Update task status to DOING/DONE in both correspoding sprint file /docs/implplan/SPRINT_*.md and the local TASKS.md when you start or finish work.
    1. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
    1. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
    1. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
    1. Revert to TODO if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.