git.stella-ops.org/TODOS.md

Pending Task Backlog

Last updated: 2025-10-09 (UTC)

Common

• Build/test sweeps (QA – DONE)
  Full dotnet test is green again after wiring the Authority plugin abstractions into StellaOps.Configuration and updating CLI export tests for the new publish/include overrides. Keep running the sweep weekly and capture timings so we catch regressions early.

• OSV vs GHSA parity checks (QA & BE-Merge – TODO)
  Design and implement a diff detector comparing OSV advisories against GHSA records. The deliverable should flag mismatched aliases, missing affected ranges, or divergent severities, surface actionable telemetry/alerts, and include regression tests with canned OSV+GHSA fixtures.

Prerequisites

• Range primitives for SemVer/EVR/NEVRA metadata (BE-Merge – DOING)
  The core model supports range primitives, but several connectors still emit raw strings. Current gaps (snapshot 2025‑10‑09, post-Kaspersky/CERT-In/CERT-FR/JVN updates): Acsc, Cccs, CertBund, CertCc, Cve, Ghsa, Ics.Cisa, Kev, Kisa, Ru.Bdu, Ru.Nkcki, Vndr.Apple, Vndr.Cisco, Vndr.Msrc. We need to extend those mappers to populate the structured envelopes (SemVer/EVR/NEVRA plus vendor extensions) and add fixture coverage so merge/export layers see consistent telemetry. (Delivered: ICS.Kaspersky, CERT-In, CERT-FR emit vendor primitives; JVN captures version/build metadata.)

• Provenance envelope field masks (BE-Merge – DOING)
  Provenance needs richer categorisation (component category, severity bands, resume counters) and better dedupe metrics. Update the provenance model, extend diagnostics to emit the new tags, and refresh dashboards/tests to ensure determinism once additional metadata flows through.

Implementations

• Model provenance & range backlog (BE-Merge – DOING)
  With Adobe/Ubuntu now emitting range primitives, focus on the remaining connectors (e.g., Apple, smaller vendor PSIRTs). Update their pipelines, regenerate goldens, and confirm feedser.range.primitives metrics reflect the added telemetry. The task closes when every high-priority source produces structured ranges with provenance.

• Trivy DB exporter delta strategy (BE-Export – TODO)
  Finalise the delta-reset story in ExportStateManager: define when to invalidate baselines, how to reuse unchanged layers, and document operator workflows. Implement planner logic for layer reuse, update exporter tests, and exercise a delta→full→delta sequence.

• Red Hat fixture validation sweep (QA – DOING)
  Regenerate RHSA fixtures with the latest connector output and make sure the regenerated snapshots align once the outstanding connector tweaks land. Pending prerequisites: land the mapper reference-normalisation patch (local branch redhat/ref-dedupe) and the range provenance backfill (RangePrimitives.GetCoverageTag). Once those land, run UPDATE_RHSA_FIXTURES=1 dotnet test src/StellaOps.Feedser.Source.Distro.RedHat.Tests/StellaOps.Feedser.Source.Distro.RedHat.Tests.csproj, review the refreshed Fixtures/rhsa-*.json, and sync the task status to DONE.

• Plan incremental/delta exports (BE-Export – DOING)
  TrivyDbExportPlanner now captures changed files but does not yet reuse existing OCI layers. Extend the planner to build per-file manifests, teach the writer to skip untouched layers, and add delta-cycle tests covering file removals, additions, and checksum changes.

• Scan execution & result upload workflow (DevEx/CLI & Ops Integrator – DOING)
  stella scan run now emits a structured scan-run-*.json alongside artefacts. Remaining work: add resilient upload retries/backoff, cover success/retry/cancellation with integration tests, and expand docs with docker/dotnet/native runner examples plus metadata troubleshooting tips.