stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9ca2de05dff9c7db11eb49df6d4e47bbfe7a99f6
git.stella-ops.org/docs/features/checked/concelier/backport-aware-advisory-deduplication-with-provenance-scope.md
master 9ca2de05df more features checks. setup improvements
2026-02-13 02:04:55 +02:00

2.7 KiB
Raw Blame History

Backport-Aware Advisory Deduplication with Provenance Scope

Module

Concelier

Status

VERIFIED

Description

Enhances canonical advisory deduplication to be backport-aware. Same CVE with different backport status produces correctly differentiated canonicals. Includes provenance_scope tracking, configurable vendor vs. distro precedence lattice, and patch lineage normalization for merge_hash computation.

Implementation Details

  • Modules: src/Concelier/__Libraries/StellaOps.Concelier.Merge/, src/Concelier/__Libraries/StellaOps.Concelier.Persistence/
  • Key Classes:
    • MergeHashCalculator (src/Concelier/__Libraries/StellaOps.Concelier.Merge/Identity/MergeHashCalculator.cs) - merge hash computation with backport-aware normalization
    • MergeHashBackfillService (src/Concelier/__Libraries/StellaOps.Concelier.Merge/Services/MergeHashBackfillService.cs) - backfills merge hashes for existing advisories
    • MergeHashBackfillJob (src/Concelier/__Libraries/StellaOps.Concelier.Merge/Jobs/MergeHashBackfillJob.cs) - scheduled job for merge hash backfill
    • MergeHashShadowWriteService (src/Concelier/__Libraries/StellaOps.Concelier.Merge/Identity/MergeHashShadowWriteService.cs) - shadow writes for merge hash validation
    • ProvenanceScopeService (src/Concelier/__Libraries/StellaOps.Concelier.Merge/Backport/ProvenanceScopeService.cs) - provenance scope tracking and management
    • ProvenanceScopeRepository (src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/ProvenanceScopeRepository.cs) - PostgreSQL persistence for provenance scopes
    • ProvenanceScopeEntity (src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Models/ProvenanceScopeEntity.cs) - database entity for provenance scope
    • PostgresProvenanceScopeStore (src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/PostgresProvenanceScopeStore.cs) - store implementation
  • Interfaces: IMergeHashCalculator, IProvenanceScopeService, IProvenanceScopeRepository
  • Source: SPRINT_8200_0015_0001_CONCEL_backport_integration.md

E2E Test Plan

  • Ingest same CVE with different backport status (patched vs unpatched) from two distros and verify they produce distinct canonical advisories
  • Verify MergeHashCalculator differentiates merge hashes when backport status differs for the same CVE
  • Verify ProvenanceScopeService correctly tracks which provenance scope each canonical belongs to
  • Verify vendor vs. distro precedence: when vendor says "not affected" but distro says "patched", verify the precedence lattice resolves correctly
  • Verify MergeHashBackfillService can retroactively update merge hashes for pre-existing advisories