git.stella-ops.org/docs/features/unchecked/scanner/derivative-distro-mapping-for-backport-detection.md

Derivative Distro Mapping for Backport Detection

Module

Scanner

Status

IMPLEMENTED

Description

Cross-distro OVAL/CSAF mapping that enables fetching backport rules from derivative distros (RHEL->Alma/Rocky/CentOS, Ubuntu->LinuxMint/Pop!_OS, Debian->Ubuntu) with confidence penalty multipliers (0.95x for same-major, 0.80x for cross-family).

Implementation Details

• Pedigree & Backport Evidence:
  • src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/FeedserPedigreeDataProvider.cs - Provides pedigree data with cross-distro backport rules
  • src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/CycloneDxPedigreeMapper.cs - Maps pedigree data including derivative distro mappings
  • src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/PatchInfoBuilder.cs - Builds patch info with backport detection data
  • src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/PedigreeNotesGenerator.cs - Generates pedigree notes with confidence levels
  • src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/IPedigreeDataProvider.cs - Interface
• Version Comparison Evidence:
  • src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/VersionComparisonEvidence.cs - Version comparison evidence for backport detection
  • src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/DeltaSignatureEvidence.cs - Delta signature evidence
  • src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/EvidenceBundle.cs - Evidence bundle model
• VEX Gate Integration:
  • src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateService.cs - VEX gate service considering backport status
  • src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGatePolicyEvaluator.cs - Policy evaluator with backport awareness

E2E Test Plan

• Scan an AlmaLinux image and verify backport rules are fetched from RHEL OVAL data with 0.95x confidence
• Scan a Linux Mint image and verify backport rules map from Ubuntu with appropriate confidence penalty
• Verify cross-family mapping (e.g., Debian rules applied to Ubuntu) uses 0.80x confidence multiplier
• Verify pedigree output includes derivative distro source attribution
• Verify backport evidence reduces false positive vulnerability counts for patched packages