Files

StellaOps Bot 35c8f9216f Add tests and implement timeline ingestion options with NATS and Redis subscribers

- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality.
- Created `PackRunWorkerOptions` for configuring worker paths and execution persistence.
- Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports.
- Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events.
- Developed `RedisTimelineEventSubscriber` for reading from Redis Streams.
- Added `TimelineEnvelopeParser` to normalize incoming event envelopes.
- Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping.
- Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.

2025-12-03 09:46:48 +02:00

5.4 KiB

Raw Blame History

Scanner Standards Convergence Roadmap (SC1)

Purpose

Define the concrete steps for adopting CVSS v4.0, CycloneDX 1.7 (incl. CBOM), and SLSA 1.2 across Scanner surfaces while keeping outputs deterministic and downgrade-friendly.

Scope

Scanner WebService + Worker + Replay bundles.
Surface contracts, CLI outputs, and CAS artifacts.
Downgrade adapters to CVSS v3.1, CDX 1.6, SLSA 1.0 (see SC4).

Deliverables (tie to SC tasks)

SC1: Roadmap with milestones, owners, and schema bump governance.
SC2: Deterministic CDX 1.7 + CBOM contract (fields, ordering, evidence citations).
SC3: SLSA Source Track capture fields for replay bundles (build-id, repo refs, provenance hooks).
SC4: Mapping tables for downgrade adapters; deterministic mapping rules and hashes.
SC5/SC8: Fixture set + determinism CI (stable ordering, seeded RNG, golden hashes).
SC6: Binary ↔ source evidence alignment requirements (build-id, symbols, patch oracle) feeding policy/VEX.
SC7: API/UI surfacing contract (filters, columns, pagination defaults) with deterministic ordering.
SC9: Governance/RACI for schema bumps and adapter tables.
SC10: Offline-kit parity: DSSE-signed schemas/mappings/fixtures, frozen bundle.

Contracts & owners (v0.1)

Schema leads: Scanner Guild (CDX 1.7/CBOM), Sbomer Guild (mapping), Policy Guild (severity/vectors), Ops Guild (offline kit).
Canonical CDX 1.7/CBOM fields (min set):
- metadata/component (purl, hashes, evidence refs),
- services with CBOM channels (ingress/egress),
- vulnerabilities[*].ratings[] must carry CVSS v4 and v3.1 side-by-side; deterministic order: v4 first, then v3.1.
- Evidence citations: properties["evidence:source"], properties["evidence:proof-id"], properties["evidence:hash"].
SLSA Source Track (SC3):
- replay bundle fields: source.repo, source.ref, build.id, build.invocation.hash, provenance.dsse (hash), all required.
Deterministic ordering rules (apply across SC2/SC5/SC8):
- sort components by purl, ties by name, then version (ordinal, case-insensitive);
- vulnerabilities sorted by id, then source, then severity score desc;
- timestamps UTC ISO-8601 without sub-ms; decimal rounding 4dp for ratios, 2dp for scores.
Adapter tables (SC4): mapping CSVs checked in under docs/modules/scanner/fixtures/adapters/ with BLAKE3 + SHA256 hashes; adapters are pure, no net.

Fixtures (SC2/SC5/SC8)

Golden payloads live in docs/modules/scanner/fixtures/cdx17-cbom/.
- sample-cdx17-cbom.json (CDX 1.7 + CBOM + CVSS v4/v3.1 + SLSA Source Track + evidence).
- sample-cdx16.json (downgraded CDX 1.6; CVSS v3.1 only; no CBOM channel properties).
- hashes.txt records deterministic digests:
  - sample-cdx17-cbom.json BLAKE3=27c6de0ccd6adb8149c5521477fba8292aa119fb9e42b521cba6356b2308e761 SHA256=22d8f6f80f02be13f840b74b24b2eea769f108a225152695e1bf8d8a0577e6f6
  - sample-cdx16.json BLAKE3=da5b631a8cca865f929f8fd5d3b35adc512de1754fe2278cb8b415b01c81b3d3 SHA256=3cf6cb04aec97ec05fad0658f54b4ec099644176806f098897a9ba0bf1135cb0
CI step: dotnet test hook runs deterministic serializer + hash assertion; env DOTNET_DISABLE_BUILTIN_GRAPH=1, fixed TZ=UTC, LC_ALL=C.
Downgrade adapters (SC4) consume the CDX 1.7 fixture and emit the 1.6 fixture; verify hashes match the values above.

Governance (SC1/SC9)

RACI: Product (A), Scanner TL (R), Sbomer TL (C), Policy TL (C), Ops (I).
Schema bump flow: draft → review → freeze → DSSE-sign schemas + fixtures → publish hash list → lock downgrade adapters.
Downgrade adapters cannot ship without approved mapping CSV + updated hashes; adapter CSVs live under docs/modules/scanner/fixtures/adapters/ (hash list alongside CSVs).

Offline (SC10)

Offline kit must include: schemas, adapter CSVs, fixtures, hash list, DSSE envelope, tool versions (Syft/Trivy pinned) and their hashes.
Bundle path: out/offline/scanner-standards-kit-v1/. DSSE envelope references manifest with all hashes; include CBOM sample, downgrade sample, adapter CSVs, and their BLAKE3/SHA256 values.

Milestones (locked for SC1 delivery)

Schema draft freeze (CDX 1.7/CBOM + CVSS v4 fields) — owners: Scanner Guild, due 2025-12-08.
Replay bundle field list for Source Track — owners: Scanner + Sbomer, due 2025-12-10.
Determinism harness upgrade (CI + fixtures) — owners: QA + Scanner, due 2025-12-13.
Downgrade adapter tables + hash tests — owners: Scanner, due 2025-12-15.
Offline-kit bundle update & DSSE signing — owners: Ops, due 2025-12-17.

Determinism & Offline requirements

Stable field ordering, culture-invariant formatting, UTC ISO-8601 timestamps.
No network calls during conversion/adapters; fixed seeds for any RNG.
All schemas/adapters/fixtures shipped in offline kit with DSSE envelope and recorded hashes.

Decisions (2025-12-03)

CBOM subset: include ingress + egress channel properties only; deeper data-flow capture deferred to policy/graph once schema stabilises.
CVSS v4 rounding: keep vendor vector precision; round scores to 2dp using MidpointRounding.ToZero for deterministic alignment with CVSS v3.1 sidecar values.
Evidence properties are mandatory for replay bundles and serialized CycloneDX 1.7 outputs; adapter must preserve them when downgrading.

5.4 KiB Raw Blame History Unescape Escape