stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
a3822c88cd9375d98137e86fee32df23513db88c
git.stella-ops.org/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Bdu
History

README.md

RU BDU Connector Notes

Data source & access requirements

  • Primary feed: https://bdu.fstec.ru/files/documents/vulxml.zip exposes the full vulnerability catalogue as a zipped XML tree (“export/export.xml”). FSTEC refreshes the archive several times per week; incremental diffs are not published, so every run downloads the full bundle.

  • TLS trust: the endpoint presents certificates chained to the Russian Trusted Root/Sub CAs. Bundle the official PEMs inside the deployment (certificates/russian_trusted_root_ca.pem, certificates/russian_trusted_sub_ca.pem, or the combined certificates/russian_trusted_bundle.pem) and point the connector at them, e.g.:

    concelier:
  httpClients:
    source.bdu:
      trustedRootPaths:
        - certificates/russian_trusted_bundle.pem
      allowInvalidCertificates: false
      timeout: 00:02:00

  • Offline Kit: copy the PEM bundle above into the Offline Kit artefacts and set concelier:offline:root (or CONCELIER_OFFLINE_ROOT) so airgapped installs can resolve relative certificate paths. Package the most recent vulxml.zip alongside cached exports when preparing air-gap refreshes.

The connector keeps a local cache (cache/ru-bdu/vulxml.zip) so transient fetch failures can fall back to the last successful archive without blocking the cursor.

Telemetry

The connector publishes an OpenTelemetry meter named StellaOps.Concelier.Connector.Ru.Bdu. Instruments include:

  • ru.bdu.fetch.* attempts, success, failures, not_modified, cache_fallbacks, and histogram ru.bdu.fetch.documents.
  • ru.bdu.parse.* counters for success/failures plus histograms tracking vulnerable software, external identifiers, and source reference counts per DTO.
  • ru.bdu.map.* counters for success/failures with histograms covering affected package counts and alias fan-out per advisory.

Use these metrics to alert on repeated cache fallbacks, sustained parse failures, or unexpected advisory fan-out.

Regression fixtures

Deterministic fixtures live under src/Concelier/__Tests/StellaOps.Concelier.Connector.Ru.Bdu.Tests/Fixtures. Run

dotnet test src/Concelier/__Tests/StellaOps.Concelier.Connector.Ru.Bdu.Tests

to execute the RU BDU snapshot suite, and set UPDATE_BDU_FIXTURES=1 to refresh stored snapshots when ingest logic changes. The harness records the fetch requests, documents, DTOs, advisories, and state cursor to guarantee reproducible pipelines across machines.