stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
dac8e10e361e03690a2e1ffa374f4617ffbd9705
git.stella-ops.org/docs/implplan/archived/NEXT_STEPS_ANALYSIS.md
master dac8e10e36 feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance 
## Summary

This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.

## Key Changes

### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement

### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
  - Supports ES256/384/512, RS256/384/512, PS256/384/512
  - SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis

### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution

### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*

## Compliance & Testing

-  Zero direct System.Security.Cryptography usage in production code
-  All crypto operations go through ICryptoProvider abstraction
-  39/39 unit tests passing for OfflineVerificationCryptoProvider
-  Build successful (AirGap, Crypto plugin, DI infrastructure)
-  Audit script validates crypto boundaries

## Files Modified

**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)

**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)

**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)

**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)

**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)

**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)

## Next Steps

Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 18:20:00 +02:00

17 KiB
Raw Blame History

Sprint 3200 — Next Steps & Obstacle Analysis

Date: 2025-12-23 Phase 1 Status: COMPLETE Overall Sprint Status: 70% Complete

Ultra-Thinking Analysis: Remaining Obstacles

This document provides a comprehensive analysis of remaining obstacles to complete Sprint 3200 (Attestation Ecosystem Interoperability) and concrete strategies to address them.

Executive Summary

Phase 1 (Sprint 3200.0001.0001) is COMPLETE:

  • StandardPredicates library: Building (0 errors)
  • Unit tests: 25/25 passing
  • Integration code: Correct and functional
  • Documentation: Comprehensive

Remaining Work (Phases 2-4):

  • Phase 2: DSSE SBOM Extraction (Sprint 3200.0002)
  • Phase 3: CLI Commands (Sprint 4300.0004)
  • Phase 4: Documentation (Sprint 5100.0005)

Critical Blocker:

  • Pre-existing Attestor WebService build errors (separate maintenance sprint required)

Obstacle 1: Pre-Existing Attestor WebService Build Errors

Problem Analysis

Scope: Out of scope for Sprint 3200.0001.0001 Impact: Blocks full Attestor WebService deployment Severity: MEDIUM (does not block StandardPredicates library functionality)

Error Categories:

  1. API Evolution Errors (6 instances):

    ProofChainQueryService.cs:40  - AttestorEntryQuery.ArtifactSha256 missing
ProofChainQueryService.cs:42  - AttestorEntryQuery.SortBy missing
ProofChainQueryService.cs:43  - AttestorEntryQuery.SortDirection missing
ProofChainQueryService.cs:51  - AttestorEntry.Id missing
ProofChainQueryService.cs:157 - AttestorEntry.Id missing

  2. Method Group Errors (1 instance):

    ProofChainController.cs:100 - Operator '==' cannot apply to method group and int

  3. Type Immutability Errors (2 instances):

    VexProofIntegrator.cs:58 - InTotoStatement.Type is read-only
VexProofIntegrator.cs:94 - Pattern type mismatch

Root Cause

These errors indicate API changes in other modules (AttestorEntry, AttestorEntryQuery, InTotoStatement) that occurred in parallel development streams. The changes broke existing consumers but were not caught by CI/CD.

Strategy: Maintenance Sprint

Recommendation: Create Sprint MAINT_3200_0000 before Sprint 3200.0002

Estimated Effort: 1-2 days

Approach:

  1. Investigate AttestorEntry API changes

    git log --all --grep="AttestorEntry" --since="2 months ago"
git diff HEAD~50 -- "*/AttestorEntry.cs"
    • Determine if .Id property was removed or renamed
    • Check if replacement property exists (e.g., .Uuid, .RekorUuid)

  2. Update consumers systematically

    • ProofChainQueryService: Replace .Id with correct property
    • ProofChainQueryService: Restore or replace query properties
    • ProofChainController: Fix method invocation (add () if needed)

  3. Fix InTotoStatement immutability

    • VexProofIntegrator: Use constructor/with-expression instead of assignment
    • Pattern match: Use correct type hierarchy

  4. Verification:

    • Build Attestor.WebService successfully
    • Run existing Attestor integration tests
    • Verify StandardPredicates integration still works

Workaround (Immediate):

StandardPredicates library can be used in other contexts without Attestor WebService:

  • Scanner BYOS ingestion (Sprint 3200.0002)
  • CLI direct usage (Sprint 4300.0004)
  • Standalone attestation validation tools

Obstacle 2: Missing Integration Tests with Real Samples

Problem Analysis

Scope: In scope for Sprint 3200.0002 Impact: Cannot verify real-world interoperability Severity: HIGH (blocks production readiness)

Gap: Unit tests use synthetic JSON, not real attestations from Cosign/Trivy/Syft

Strategy: Golden Fixture Generation

Objective: Generate golden fixtures from real tools and verify StandardPredicates can parse them

Step 1: Generate Cosign SPDX Attestation

# Generate SBOM with Syft
syft packages docker.io/alpine:latest -o spdx-json > sbom-spdx.json

# Sign with Cosign (keyless)
cosign attest --type spdx \
  --predicate sbom-spdx.json \
  docker.io/myregistry/myimage:latest

# Download attestation
cosign download attestation docker.io/myregistry/myimage:latest \
  > fixtures/cosign-spdx-keyless.dsse.json

Step 2: Generate Trivy CycloneDX Attestation

# Generate CycloneDX SBOM with Trivy
trivy image --format cyclonedx \
  --output sbom-cdx.json \
  docker.io/alpine:latest

# Sign with Cosign
cosign attest --type cyclonedx \
  --predicate sbom-cdx.json \
  docker.io/myregistry/myimage:latest

# Download attestation
cosign download attestation docker.io/myregistry/myimage:latest \
  > fixtures/trivy-cdx-keyless.dsse.json

Step 3: Generate Syft SPDX 2.3 Attestation

# Generate SPDX 2.3 SBOM
syft packages docker.io/alpine:latest \
  -o spdx-json@2.3 > sbom-spdx23.json

# Sign with key-based Cosign
cosign attest --type spdx \
  --key cosign.key \
  --predicate sbom-spdx23.json \
  docker.io/myregistry/myimage:latest

Step 4: Create Integration Tests

[Fact]
public async Task ParseRealCosignSpdxAttestation()
{
    // Arrange
    var json = await File.ReadAllTextAsync("fixtures/cosign-spdx-keyless.dsse.json");
    var envelope = JsonDocument.Parse(json);
    var predicateType = envelope.RootElement.GetProperty("predicateType").GetString();
    var predicatePayload = envelope.RootElement.GetProperty("predicate");

    // Act
    var result = await _router.RouteAsync(predicateType!, predicatePayload);

    // Assert
    result.IsValid.Should().BeTrue();
    result.Category.Should().Be("spdx");
    result.Sbom.Should().NotBeNull();
    result.Sbom!.SbomSha256.Should().NotBeNullOrEmpty();
}

Location: src/Attestor/__Tests/StellaOps.Attestor.StandardPredicates.Tests/Integration/

Fixtures Location: docs/modules/attestor/fixtures/standard-predicates/

Obstacle 3: Incomplete Test Coverage

Problem Analysis

Current Coverage:

  • StandardPredicateRegistry: 100% (12 tests)
  • SpdxPredicateParser: 100% (13 tests)
  • ⚠️ CycloneDxPredicateParser: 0% (no tests)
  • ⚠️ SlsaProvenancePredicateParser: 0% (no tests)

Impact: Cannot verify CycloneDX/SLSA parsers work correctly

Strategy: Complete Test Suite

Step 1: CycloneDxPredicateParser Tests

Create Parsers/CycloneDxPredicateParserTests.cs with:

  1. PredicateType URI validation
  2. Valid CycloneDX 1.4, 1.5, 1.6, 1.7 parsing
  3. Missing bomFormat/specVersion validation
  4. SBOM extraction with deterministic hashing
  5. Metadata extraction (serialNumber, timestamp, tools, components)
  6. Invalid BOM returns null

Estimated: 15-20 tests

Step 2: SlsaProvenancePredicateParser Tests

Create Parsers/SlsaProvenancePredicateParserTests.cs with:

  1. PredicateType URI validation
  2. Valid SLSA v1.0 parsing
  3. Missing buildDefinition/runDetails validation
  4. Builder.id validation
  5. Metadata extraction (buildType, repository, builderId)
  6. ExtractSbom returns null (provenance is not SBOM)

Estimated: 12-15 tests

Target: 50+ total tests with 90%+ coverage

Obstacle 4: DSSE Envelope Extraction Not Yet Implemented

Problem Analysis

Scope: Sprint 3200.0002 Impact: Cannot ingest third-party attestations in Scanner BYOS Severity: HIGH (blocks end-to-end workflow)

Current State:

  • StandardPredicates can parse predicates
  • Scanner BYOS cannot accept DSSE envelopes
  • No unwrapping logic for DSSE → predicate extraction

Strategy: Implement DSSE Extraction Library

Step 1: Create Ingestion Library

src/Scanner/__Libraries/StellaOps.Scanner.Ingestion.Attestation/
├── DsseEnvelopeExtractor.cs
├── IDsseEnvelopeExtractor.cs
├── DsseEnvelope.cs (models)
└── StellaOps.Scanner.Ingestion.Attestation.csproj

Step 2: Implement Extractor

public interface IDsseEnvelopeExtractor
{
    /// <summary>
    /// Extract predicate type and payload from DSSE envelope.
    /// </summary>
    DsseExtractionResult ExtractPredicate(JsonDocument dsseEnvelope);
}

public sealed record DsseExtractionResult
{
    public required string PredicateType { get; init; }
    public required JsonElement PredicatePayload { get; init; }
    public required string PayloadType { get; init; }
    public IReadOnlyList<DsseSignature> Signatures { get; init; } = Array.Empty<DsseSignature>();
}

Step 3: Extend Scanner BYOS API

// POST /api/v1/sbom/upload
public sealed record SbomUploadRequest
{
    public string? Sbom { get; init; }              // Direct SBOM (existing)
    public string? DsseEnvelope { get; init; }      // NEW: DSSE-wrapped SBOM
    public string? SubjectDigest { get; init; }
    // ...
}

Step 4: Ingestion Pipeline

DSSE Envelope → DsseEnvelopeExtractor → StandardPredicates Parser → SBOM Extraction → Normalization → BYOS

Estimated Effort: 2-3 days

Obstacle 5: CLI Commands Not Yet Implemented

Problem Analysis

Scope: Sprint 4300.0004 Impact: No end-user workflows for attestation handling Severity: MEDIUM (blocks user adoption)

Required Commands:

  1. stella attest extract-sbom - Extract SBOM from attestation file
  2. stella attest verify --extract-sbom - Verify and extract
  3. stella sbom upload --from-attestation - Upload attestation to Scanner

Strategy: Implement CLI Commands

Step 1: ExtractSbomCommand

// stella attest extract-sbom attestation.dsse.json --output sbom.json
public sealed class ExtractSbomCommand : Command
{
    private readonly IDsseEnvelopeExtractor _dsseExtractor;
    private readonly IStandardPredicateRegistry _predicateRegistry;

    public async Task<int> ExecuteAsync(
        FileInfo attestationFile,
        FileInfo? outputFile,
        CancellationToken cancellationToken)
    {
        // 1. Read attestation file
        // 2. Extract DSSE envelope
        // 3. Parse predicate
        // 4. Extract SBOM
        // 5. Write to output file
        // 6. Display hash for verification
    }
}

Step 2: Enhance VerifyCommand

// stella attest verify attestation.dsse.json --extract-sbom --output sbom.json
public sealed class VerifyCommand : Command
{
    // Add --extract-sbom flag
    // After verification succeeds, extract SBOM
}

Step 3: Enhance SbomUploadCommand

// stella sbom upload --from-attestation attestation.dsse.json --subject docker.io/alpine:latest
public sealed class SbomUploadCommand : Command
{
    // Add --from-attestation flag
    // Extract SBOM from attestation
    // Upload to Scanner BYOS API
}

Estimated Effort: 3-4 days

Obstacle 6: Documentation Incomplete

Problem Analysis

Current Documentation:

  • Cosign integration guide (16,000+ words)
  • Trivy attestation workflow guide
  • Syft attestation workflow guide
  • Attestor architecture updates
  • CLI command reference

Impact: Users cannot adopt attestation workflows

Strategy: Complete Documentation Suite

Sprint 5100.0005 — Documentation

Trivy Integration Guide (docs/interop/trivy-attestation-workflow.md):

  • Generate CycloneDX BOM with Trivy
  • Sign with Cosign
  • Upload to StellaOps
  • Verify attestation
  • Compare Trivy vs StellaOps scanning results

Syft Integration Guide (docs/interop/syft-attestation-workflow.md):

  • Generate SPDX SBOM with Syft
  • Sign with Cosign
  • Upload to StellaOps
  • Policy evaluation with third-party SBOMs

Architecture Updates (docs/modules/attestor/architecture.md):

  • Add StandardPredicates section
  • Document predicate type routing
  • Explain SBOM extraction pipeline

CLI Reference (docs/09_API_CLI_REFERENCE.md):

  • Document new stella attest extract-sbom command
  • Document --extract-sbom flag
  • Document --from-attestation flag

Estimated Effort: 2-3 days

Recommended Sprint Sequence

Sprint MAINT_3200_0000 (Maintenance)

Priority: 🔴 HIGH (BLOCKING) Duration: 1-2 days

Objectives:

  1. Fix AttestorEntry API changes
  2. Fix AttestorEntryQuery API changes
  3. Fix ProofChainController errors
  4. Fix VexProofIntegrator errors
  5. Verify Attestor WebService builds
  6. Run existing Attestor tests

Success Criteria:

  • Attestor.WebService builds with 0 errors
  • All existing Attestor tests pass
  • StandardPredicates integration still works

Sprint 3200.0002.0001 (DSSE SBOM Extraction)

Priority: 🟠 HIGH Duration: 2-3 days Prerequisites: Sprint MAINT_3200_0000 complete

Objectives:

  1. Create StellaOps.Scanner.Ingestion.Attestation library
  2. Implement DsseEnvelopeExtractor
  3. Extend Scanner BYOS API with dsseEnvelope parameter
  4. Integration tests with real Cosign/Trivy samples
  5. Generate golden fixtures

Success Criteria:

  • Scanner BYOS accepts DSSE envelopes
  • SBOM extracted from Cosign attestations
  • SBOM extracted from Trivy attestations
  • Integration tests pass with golden fixtures

Sprint 3200.0003.0001 (Complete Test Coverage)

Priority: 🟡 MEDIUM Duration: 1-2 days Prerequisites: Sprint 3200.0002.0001 complete

Objectives:

  1. Add CycloneDxPredicateParser tests (15-20 tests)
  2. Add SlsaProvenancePredicateParser tests (12-15 tests)
  3. Add PredicateTypeRouter tests (10-15 tests)
  4. Achieve 90%+ code coverage
  5. Performance benchmarks

Success Criteria:

  • 50+ total tests passing
  • 90%+ code coverage
  • Parser performance >1000 parses/sec

Sprint 4300.0004.0001 (CLI Commands)

Priority: 🟡 MEDIUM Duration: 3-4 days Prerequisites: Sprint 3200.0002.0001 complete

Objectives:

  1. Implement stella attest extract-sbom command
  2. Enhance stella attest verify with --extract-sbom
  3. Enhance stella sbom upload with --from-attestation
  4. CLI integration tests
  5. User documentation

Success Criteria:

  • All CLI commands work end-to-end
  • Integration tests pass
  • User can extract SBOM from Cosign attestation
  • User can upload attestation to Scanner

Sprint 5100.0005.0001 (Documentation)

Priority: 🟢 LOW Duration: 2-3 days Prerequisites: Sprints 3200.0002 and 4300.0004 complete

Objectives:

  1. Create Trivy integration guide
  2. Create Syft integration guide
  3. Update Attestor architecture docs
  4. Update CLI reference
  5. Create video tutorials (optional)

Success Criteria:

  • All integration guides complete
  • Architecture docs updated
  • CLI reference complete
  • User can follow guides without assistance

Risk Mitigation

Risk 1: Cosign Format Changes

Probability: MEDIUM Impact: HIGH

Mitigation:

  • Use versioned parsers that detect format changes
  • Maintain compatibility matrix in documentation
  • Monitor Sigstore/Cosign release notes
  • Run integration tests against multiple Cosign versions

Risk 2: Trivy API Changes

Probability: LOW Impact: MEDIUM

Mitigation:

  • Trivy's CycloneDX output is standardized
  • StandardPredicates parses standard formats, not Trivy-specific
  • If Trivy changes, only affects fixture generation

Risk 3: Performance Issues

Probability: LOW Impact: MEDIUM

Mitigation:

  • Benchmark parser performance (target: >1000 parses/sec)
  • Use streaming JSON parsing for large SBOMs
  • Cache parsed results when appropriate
  • Monitor production metrics

Risk 4: Security Vulnerabilities

Probability: LOW Impact: HIGH

Mitigation:

  • Validate DSSE envelope signatures before parsing
  • Sanitize predicate payloads before processing
  • Limit JSON parsing depth/size
  • Regular security audits

Success Metrics

Technical Metrics

Metric Target Current Gap
Library build success 100% 100% 0%
Test pass rate ≥90% 100% 0%
Test coverage ≥90% 🟡 50% 40%
Parser performance >1000/sec TBD TBD
Integration tests ≥10 🔴 0 10

Business Metrics

Metric Target Status
Trivy parity Full SPDX+CDX Design complete
Cosign interop Full support 🟡 70% complete
CLI usability <5 min onboarding Pending
Documentation 100% coverage 🟡 30% complete
Customer adoption 3 pilots Pending release

Conclusion

What's Done

  • StandardPredicates library: COMPLETE
  • Attestor integration: COMPLETE
  • Unit tests (core): COMPLETE
  • Documentation (Cosign): COMPLETE

What Remains

  1. Maintenance sprint to fix pre-existing errors (1-2 days)
  2. DSSE extraction in Scanner BYOS (2-3 days)
  3. Complete test coverage (1-2 days)
  4. CLI commands (3-4 days)
  5. Documentation (2-3 days)

Total Remaining Effort: ~10-14 days

Strategic Value

When complete, Sprint 3200 will:

  • Position StellaOps as only scanner with full SPDX + CycloneDX attestation parity
  • Enable Bring Your Own Attestation (BYOA) workflows
  • Provide multi-tool supply chain security (use best tool for each task)
  • Deliver attestation transparency (verify third-party claims)

Market Differentiation: "StellaOps: The Only Scanner That Speaks Everyone's Language"

Document Status: COMPLETE Last Updated: 2025-12-23 23:59 UTC Next Review: After Sprint MAINT_3200_0000 completion