b7059d523e
- Deleted obsolete test files for SchedulerAuditService and SchedulerMongoSessionFactory. - Removed unused TestDataFactory class. - Updated project files for Mongo.Tests to remove references to deleted files. - Upgraded BouncyCastle.Cryptography package to version 2.6.2 across multiple projects. - Replaced Microsoft.Extensions.Http.Polly with Microsoft.Extensions.Http.Resilience in Zastava.Webhook project. - Updated NetEscapades.Configuration.Yaml package to version 3.1.0 in Configuration library. - Upgraded Pkcs11Interop package to version 5.1.2 in Cryptography libraries. - Refactored Argon2idPasswordHasher to use BouncyCastle for hashing instead of Konscious. - Updated JsonSchema.Net package to version 7.3.2 in Microservice project. - Updated global.json to use .NET SDK version 10.0.101.
3.4 KiB
3.4 KiB
Excititor · Graph Linkouts & Overlays — Implementation Notes (Graph 21-001/002/005/24-101/24-102)
- Date: 2025-11-21
- Scope: EXCITITOR-GRAPH-21-001, EXCITITOR-GRAPH-21-002, EXCITITOR-GRAPH-21-005
- Status: Implementation guidance (storage wiring pending).
Endpoints
-
Linkouts (21-001)
POST /internal/graph/linkouts- Body:
tenant,purls[](max 500),includeJustifications?,includeProvenance? - Response: ordered by input
purls; each item includesadvisories[](advisoryId,source,status,justification?,modifiedAt,evidenceHash,connectorId,dsseEnvelopeHash?) plusconflicts[];notFound[].
-
Overlays (21-002)
GET /v1/graph/overlays?purl=<purl>&purl=<purl>&includeJustifications=true|false- Response per PURL:
summarycounts (open,not_affected,under_investigation,no_statement),latestModifiedAt,justifications[](unique, sorted),provenance(sources[],lastEvidenceHash),cached,cacheAgeMs.
-
Status summaries (24-101)
GET /v1/graph/status?purl=<purl>&purl=<purl>- Response mirrors overlay summaries but omits justification payloads; includes
sources[],lastEvidenceHash,cached,cacheAgeMs. Intended for Vuln Explorer status colouring.
-
Batch observations for tooltips (24-102)
GET /v1/graph/observations?purl=<purl>[&purl=...]&includeJustifications=true|false[&limitPerPurl=50][&cursor=<base64>]- Response per PURL: ordered
observations[](observationId,advisoryId,status,justification?,providerId,modifiedAt,evidenceHash,dsseEnvelopeHash?) plustruncated; top-levelnextCursor,hasMoreenable paging. Limits enforced per PURL and globally.
Storage & Indexes (21-005)
vex_observationsindexes:{ tenant: 1, component.purl: 1, advisoryId: 1, source: 1, modifiedAt: -1 }- Sparse
{ tenant: 1, component.purl: 1, status: 1 }
- Optional materialized
vex_overlayscache: unique{ tenant: 1, purl: 1 }, TTL oncachedAtdriven byexcititor:graph:overlayTtlSeconds(default 300s); payload must validate againstdocs/modules/excititor/schemas/vex_overlay.schema.json(schemaVersion 1.0.0). Bundle sample payloaddocs/samples/excititor/vex-overlay-sample.jsonin Offline Kits.
Determinism
- Ordering: input PURL order →
advisoryId→sourcefor linkouts; overlays follow input order. - Truncation: max 200 advisories per PURL; when truncated, include
truncated: trueandnextCursor(advisoryId,source).
Config knobs
excititor:graph:overlayTtlSeconds(default 300)excititor:graph:maxPurls(default 500)excititor:graph:maxAdvisoriesPerPurl(default 200)excititor:graph:maxTooltipItemsPerPurl(default 50)excititor:graph:maxTooltipTotal(default 1000)
Telemetry
- Counter
excititor.graph.linkouts.requeststags:tenant,includeJustifications,includeProvenance. - Counter
excititor.graph.overlays.cachetags:tenant,hit(true|false). - Histogram
excititor.graph.linkouts.latency.mstags:tenant.
Steps to implement
- Bind
GraphOptionstoExcititor:Graph. - Add endpoints to WebService with tenant guard; enforce limits.
- Implement overlay cache with deterministic sort; respect TTL; surface
cached+cacheAgeMs. - Backfill Mongo indexes above.
- Integration tests (WebApplicationFactory + Mongo2Go) for ordering, truncation, cache metadata, tenant isolation.