Files

Docs CI / lint-and-preview (push) Has been cancelled

Details

Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

2025-11-08 20:53:45 +02:00

5.6 KiB

Raw Blame History

Attestor Guild Task Board (UTC 2025-10-19)

ID	Status	Owner(s)	Depends on	Description	Exit Criteria

Remark (2025-10-19): Wave 0 prerequisites reviewed (none outstanding); ATTESTOR-API-11-201, ATTESTOR-VERIFY-11-202, and ATTESTOR-OBS-11-203 tracked as DOING per Wave 0A kickoff. Remark (2025-10-19): Dual-log submissions, signature/proof verification, and observability hardening landed; attestor endpoints now rate-limited per client with correlation-ID logging and updated docs/tests. | ATTESTOR-CRYPTO-90-001 | TODO | Attestor Service Guild, Security Guild | SEC-CRYPTO-90-003, SEC-CRYPTO-90-004 | Migrate bundle hashing, witness proof caching, and signing submissions to ICryptoProviderRegistry/ICryptoHash so RootPack_RU deployments use CryptoPro or PKCS#11 per docs/security/crypto-routing-audit-2025-11-07.md. | Attestor services resolve registry providers; DSSE signing/verifying honors config profiles; tests cover default + ru-offline modes; docs updated. |

Epic 19 — Attestor Console Roadmap

Sprint 72 – Foundations

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
ATTESTOR-72-001	DONE	Attestor Service Guild	ATTEST-ENVELOPE-72-001	Scaffold service (REST API skeleton, storage interfaces, KMS integration stubs) and DSSE validation pipeline.	Service builds/tests; signing & verification stubs wired; lint/CI green.
ATTESTOR-72-002	DONE	Attestor Service Guild	ATTESTOR-72-001	Implement attestation store (DB tables, object storage integration), CRUD, and indexing strategies.	Migrations applied; CRUD API functional; storage integration unit tests pass.
ATTESTOR-72-003	DONE (2025-11-03)	Attestor Service Guild, QA Guild	ATTESTOR-72-002	Validate attestation store TTL against production-like Mongo/Redis stack; capture logs and remediation plan.	Evidence of TTL expiry captured; report archived in docs/modules/attestor/ttl-validation.md.

2025-11-03: Ran TTL validation against locally hosted MongoDB 7.0.5 and Redis 7.2.4 (manual processes). Document expirations captured in docs/modules/attestor/evidence/2025-11-03-{mongo,redis}-ttl-validation.txt; summary added to docs/modules/attestor/ttl-validation.md.

Sprint 73 – Signing & Verification

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
ATTESTOR-73-001	DONE (2025-11-01)	Attestor Service Guild, KMS Guild	ATTESTOR-72-002, KMS-72-001	Implement signing endpoint with Ed25519/ECDSA support, KMS integration, and audit logging.	`POST /v1/attestations:sign` functional; audit entries recorded; tests cover success/failure.
ATTESTOR-73-002	DONE (2025-11-01)	Attestor Service Guild, Policy Guild	ATTESTOR-72-002, VERPOL-73-001	Build verification pipeline evaluating DSSE signatures, issuer trust, and verification policies; persist reports.	Verification endpoint returns structured report; results cached; contract tests pass.
ATTESTOR-73-003	DONE	Attestor Service Guild	ATTESTOR-73-002	Implement listing/fetch APIs with filters (subject, type, issuer, scope, date).	API documented; pagination works; contract tests green.

2025-11-01: Verification endpoints now return structured reports and persist cached results; telemetry and tests (AttestorVerificationServiceTests, CachedAttestorVerificationServiceTests) cover pass/fail/cached paths.

Sprint 74 – Transparency & Bulk

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
ATTESTOR-74-001	DONE (2025-11-02)	Attestor Service Guild	ATTESTOR-73-002, TRANSP-74-001	Integrate transparency witness client, inclusion proof verification, and caching. 2025-11-02: Witness client wired with repository schema update; verification/reporting paths refreshed and test suite green.	Witness proofs stored; verification fails on missing/inconsistent proofs; metrics emitted.
ATTESTOR-74-002	DONE	Attestor Service Guild	ATTESTOR-73-002	Implement bulk verification worker + API with progress tracking, rate limits, and caching.	Bulk job API functional; worker processes batches; telemetry recorded.

Sprint 75 – Air Gap & Hardening

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
ATTESTOR-75-001	DONE	Attestor Service Guild, Export Guild	ATTESTOR-74-002, EXPORT-ATTEST-74-001	Add export/import flows for attestation bundles and offline verification mode.	Bundles generated/imported; offline verification path documented; tests cover missing witness data.
ATTESTOR-75-002	DONE	Attestor Service Guild, Security Guild	ATTESTOR-73-002	Harden APIs with rate limits, auth scopes, threat model mitigations, and fuzz testing.	Rate limiting enforced; fuzz tests run in CI; threat model actions resolved.

Sprint 187 – Replay Ledger Integration

ID	Status	Owner(s)	Depends on	Description	Exit Criteria
ATTEST-REPLAY-187-003	TODO	Attestor Service Guild, Ops Guild	REPLAY-CORE-185-001, SCAN-REPLAY-186-001	Anchor replay manifests to Rekor, expose verification API responses, and update `docs/modules/attestor/architecture.md` referencing `docs/replay/DETERMINISTIC_REPLAY.md` Section 9.	Rekor anchoring automated; verification endpoints document replay status; docs merged.

*** End Task Board ***

5.6 KiB Raw Blame History Unescape Escape

Attestor Guild Task Board (UTC 2025-10-19)

Epic 19 — Attestor Console Roadmap

Sprint 72 – Foundations

Sprint 73 – Signing & Verification

Sprint 74 – Transparency & Bulk

Sprint 75 – Air Gap & Hardening

Sprint 187 – Replay Ledger Integration

5.6 KiB

Raw Blame History