stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
cfaea5efd942e5461dac7f070b0e8692dbbd729b
git.stella-ops.org/docs/ops/concelier-osv-operations.md

2.3 KiB
Raw Blame History

Concelier OSV Connector Operations Notes

Last updated: 2025-10-16

The OSV connector ingests advisories from OSV.dev across OSS ecosystems. This note highlights the additional merge/export expectations introduced with the canonical metric fallback work in Sprint 4.

1. Canonical metric fallbacks

  • When OSV omits CVSS vectors (common for CVSS v4-only payloads) the mapper now emits a deterministic canonical metric id in the form osv:severity/<level> and normalises the advisory severity to the same <level>.
  • Metric: osv.map.canonical_metric_fallbacks (counter) with tags severity, canonical_metric_id, ecosystem, reason=no_cvss. Watch this alongside merge parity dashboards to catch spikes where OSV publishes severity-only advisories.
  • Merge precedence still prefers GHSA over OSV; the shared severity-based canonical id keeps Merge/export parity deterministic even when only OSV supplies severity data.

2. CWE provenance

  • database_specific.cwe_ids now populates provenance decision reasons for every mapped weakness. Expect decisionReason="database_specific.cwe_ids" on OSV weakness provenance and confirm exporters preserve the value.
  • If OSV ever attaches database_specific.cwe_notes, the connector will surface the joined note string in decisionReason instead of the default marker.

3. Dashboards & alerts

  • Extend existing merge dashboards with the new counter:
    • Overlay sum(osv.map.canonical_metric_fallbacks{ecosystem=~".+"}) with Merge severity overrides to confirm fallback advisories are reconciling cleanly.
    • Alert when the 1-hour sum exceeds 50 for any ecosystem; baseline volume is currently <5 per day (mostly GHSA mirrors emitting CVSS v4 only).
  • Exporters already surface canonicalMetricId; no schema change is required, but ORAS/Trivy bundles should be spot-checked after deploying the connector update.

4. Runbook updates

  • Fixture parity suites (osv-ghsa.*) now assert the fallback id and provenance notes. Regenerate via dotnet test src/StellaOps.Concelier.Connector.Osv.Tests/StellaOps.Concelier.Connector.Osv.Tests.csproj.
  • When investigating merge severity conflicts, include the fallback counter and confirm OSV advisories carry the expected osv:severity/<level> id before raising connector bugs.