stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/platform/sbom-analytics-lake.md

2.5 KiB
Raw Blame History

SBOM Analytics Lake (Star-Schema PostgreSQL)

Module

Platform

Status

IMPLEMENTED

Description

Star-schema PostgreSQL analytics layer for SBOM data with component registry, vulnerability correlation tables, attestation tracking, materialized views for trend analysis, and stored procedures for analytics queries. While "Materialized Views for Analytics" is in the known list, this is a much broader star-schema analytics subsystem with dedicated migration, ingestion services, and multi-table analytics design.

Implementation Details

  • AnalyticsIngestionService: src/Platform/StellaOps.Platform.Analytics/Services/AnalyticsIngestionService.cs -- BackgroundService subscribing to scanner.report.ready events via IEventStream; parses SBOM (CycloneDX/SPDX), resolves artifact digests, upserts into star-schema tables (analytics.artifacts, analytics.raw_sboms, analytics.components, analytics.artifact_components); uses stored procedures (analytics.compute_daily_rollups, analytics.parse_purl, analytics.normalize_supplier, analytics.categorize_license); builds dependency paths via BFS from root component
  • VulnerabilityCorrelationService: src/Platform/StellaOps.Platform.Analytics/Services/VulnerabilityCorrelationService.cs -- correlates PURL-based components with known vulnerabilities; updates artifact vulnerability counts
  • AttestationIngestionService: src/Platform/StellaOps.Platform.Analytics/Services/AttestationIngestionService.cs -- ingests attestation events into analytics
  • Utilities: PurlParser (PURL normalization), LicenseExpressionRenderer (license aggregation), Sha256Hasher (digest computation), TenantNormalizer (tenant filtering), VersionRuleEvaluator, VulnerabilityCorrelationRules
  • AnalyticsIngestionOptions: src/Platform/StellaOps.Platform.Analytics/Options/AnalyticsIngestionOptions.cs -- configurable stream names, tenant allowlists, ingest/schema versions
  • Tests: src/Platform/__Tests/StellaOps.Platform.Analytics.Tests/
  • Source: SPRINT_20260120_030_Platform_sbom_analytics_lake.md

E2E Test Plan

  • Verify SBOM ingestion from scanner.report.ready events populates all star-schema tables
  • Test component deduplication via (purl, hash_sha256) conflict resolution
  • Verify dependency path BFS builds correct depth and introduced_via values
  • Test vulnerability correlation updates component and artifact vulnerability counts
  • Verify daily rollup stored procedure computes correct aggregates
  • Test tenant filtering respects AllowedTenants configuration