stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
dfaa2079aa9d25cf04ceaffd70dacd298b46106f
git.stella-ops.org/docs/implplan/SPRINT_7000_SUMMARY.md
StellaOps Bot 634233dfed feat: Implement distro-native version comparison for RPM, Debian, and Alpine packages 
- Add RpmVersionComparer for RPM version comparison with epoch, version, and release handling.
- Introduce DebianVersion for parsing Debian EVR (Epoch:Version-Release) strings.
- Create ApkVersion for parsing Alpine APK version strings with suffix support.
- Define IVersionComparator interface for version comparison with proof-line generation.
- Implement VersionComparisonResult struct to encapsulate comparison results and proof lines.
- Add tests for Debian and RPM version comparers to ensure correct functionality and edge case handling.
- Create project files for the version comparison library and its tests.
2025-12-22 09:50:12 +02:00

15 KiB
Raw Blame History

Sprint Epic 7000 - Competitive Moat & Explainable Triage

Overview

Epic 7000 encompasses two major capability sets:

  1. Competitive Benchmarking (batch 0001): Verifiable competitive differentiation through benchmarking infrastructure, SBOM lineage semantics, auditor-grade explainability, and integrated three-layer reachability analysis. Source: 19-Dec-2025 advisory

  2. Explainable Triage Workflows (batches 0002-0005): Policy-backed, reachability-informed, runtime-corroborated verdicts with full explainability and auditability. Source: 21-Dec-2025 advisory

IMPLID: 7000 (Competitive Moat & Explainable Triage) Total Sprints: 12 Total Tasks: 68 Source Advisories:

  • docs/product-advisories/archived/19-Dec-2025 - Benchmarking Container Scanners Against Stella Ops.md
  • docs/product-advisories/archived/21-Dec-2025 - Designing Explainable Triage Workflows.md

Gap Analysis Summary

Gap Severity Sprint Status
No competitive benchmarking infrastructure HIGH 7000.0001.0001 TODO
SBOM as static document, no lineage/versioning HIGH 7000.0001.0002 TODO
No assumption-set or falsifiability tracking HIGH 7000.0001.0003 TODO
3-layer reachability not integrated MEDIUM 7000.0001.0004 TODO

Epic Structure

Phase 1: Benchmarking Foundation

Sprint Name Tasks Priority Duration
7000.0001.0001 Competitive Benchmarking Infrastructure 7 HIGH 2 weeks

Key Deliverables:

  • Reference corpus with ground-truth annotations
  • Comparison harness for Trivy, Grype, Syft
  • Precision/recall/F1 metrics
  • Claims index with verifiable evidence
  • Marketing battlecard generator

Phase 2: SBOM Evolution

Sprint Name Tasks Priority Duration
7000.0001.0002 SBOM Lineage & Repository Semantics 7 HIGH 2 weeks

Key Deliverables:

  • SBOM lineage DAG with content-addressable storage
  • Semantic diff engine (component-level deltas)
  • Rebuild reproducibility proof manifest
  • Lineage traversal API

Phase 3: Explainability Enhancement

Sprint Name Tasks Priority Duration
7000.0001.0003 Explainability with Assumptions & Falsifiability 7 HIGH 2 weeks

Key Deliverables:

  • Assumption-set model (compiler flags, runtime config, feature gates)
  • Falsifiability criteria ("what would disprove this?")
  • Evidence-density confidence scorer
  • Updated DSSE predicate schema

Phase 4: Reachability Integration

Sprint Name Tasks Priority Duration
7000.0001.0004 Three-Layer Reachability Integration 7 MEDIUM 2 weeks

Key Deliverables:

  • ReachabilityStack composite model
  • Layer 2: Binary loader resolution (ELF/PE)
  • Layer 3: Feature flag / config gating
  • "All-three-align" exploitability proof

Batch 2: Explainable Triage Foundation

Phase 5: Confidence & UX

Sprint Name Tasks Priority
7000.0002.0001 Unified Confidence Model 5 HIGH
7000.0002.0002 Vulnerability-First UX API 5 HIGH

Key Deliverables:

  • ConfidenceScore with 5-factor breakdown (Reachability, Runtime, VEX, Provenance, Policy)
  • FindingSummaryResponse with verdict chip, confidence chip, one-liner
  • ProofBadges for visual evidence indicators
  • Findings list and detail API endpoints

Phase 6: Visualization APIs

Sprint Name Tasks Priority
7000.0003.0001 Evidence Graph API 4 MEDIUM
7000.0003.0002 Reachability Mini-Map API 4 MEDIUM
7000.0003.0003 Runtime Timeline API 4 MEDIUM

Key Deliverables:

  • Evidence graph with nodes, edges, signature status
  • Reachability mini-map with condensed call paths
  • Runtime timeline with time-windowed observations and posture

Phase 7: Fidelity & Budgets

Sprint Name Tasks Priority
7000.0004.0001 Progressive Fidelity Mode 5 HIGH
7000.0004.0002 Evidence Size Budgets 4 MEDIUM

Key Deliverables:

  • FidelityLevel enum with Quick/Standard/Deep modes
  • Fidelity-aware analyzer orchestration with timeouts
  • EvidenceBudget with per-scan caps
  • Retention tier management (Hot/Warm/Cold/Archive)

Phase 8: Metrics & Observability

Sprint Name Tasks Priority
7000.0005.0001 Quality KPIs Tracking 5 MEDIUM

Key Deliverables:

  • TriageQualityKpis model
  • KPI collection and snapshotting
  • Dashboard API endpoint

Dependency Graph

graph TD
    subgraph Batch1["Batch 1: Competitive Moat"]
        S7001[7000.0001.0001<br/>Benchmarking]
        S7002[7000.0001.0002<br/>SBOM Lineage]
        S7003[7000.0001.0003<br/>Explainability]
        S7004[7000.0001.0004<br/>3-Layer Reach]

        S7001 --> S7002
        S7002 --> S7004
        S7003 --> S7004
    end

    subgraph Batch2["Batch 2: Explainable Triage"]
        S7021[7000.0002.0001<br/>Confidence Model]
        S7022[7000.0002.0002<br/>UX API]
        S7031[7000.0003.0001<br/>Evidence Graph]
        S7032[7000.0003.0002<br/>Mini-Map]
        S7033[7000.0003.0003<br/>Timeline]
        S7041[7000.0004.0001<br/>Fidelity]
        S7042[7000.0004.0002<br/>Budgets]
        S7051[7000.0005.0001<br/>KPIs]

        S7021 --> S7022
        S7022 --> S7031
        S7022 --> S7032
        S7022 --> S7033
        S7021 --> S7051
    end

    subgraph External["Related Sprints"]
        S4200[4200.0001.0002<br/>VEX Lattice]
        S4500[4500.0002.0001<br/>VEX Conflict Studio]
        S3500[3500 Series<br/>Score Proofs - DONE]
        S4100[4100.0003.0001<br/>Risk Verdict]
    end

    S7001 --> S4500
    S3500 --> S7003
    S7021 --> S4100

Integration Points

Scanner Module

  • StellaOps.Scanner.Benchmark - New library for competitor comparison
  • StellaOps.Scanner.Emit - Enhanced with lineage tracking
  • StellaOps.Scanner.Reachability - 3-layer stack integration

Policy Module

  • StellaOps.Policy.Explainability - Assumption-set and falsifiability models

Attestor Module

  • Updated predicate schemas for explainability fields

Success Criteria

Batch 1: Competitive Moat

Sprint 7000.0001.0001 (Benchmarking)

  • 50+ image corpus with ground-truth annotations
  • Automated comparison against Trivy, Grype, Syft
  • Precision/recall metrics published
  • Claims index with evidence links

Sprint 7000.0001.0002 (SBOM Lineage)

  • SBOM versioning with content-addressable storage
  • Semantic diff between SBOM versions
  • Lineage API operational
  • Deterministic diff output

Sprint 7000.0001.0003 (Explainability)

  • Assumption-set tracked for all findings
  • Falsifiability criteria in explainer output
  • Evidence-density confidence scores
  • UI widget for assumption drill-down

Sprint 7000.0001.0004 (3-Layer Reachability)

  • All 3 layers integrated in reachability analysis
  • Binary loader resolution for ELF/PE
  • Feature flag gating detection
  • "Structurally proven" exploitability tier

Batch 2: Explainable Triage

Sprint 7000.0002.0001 (Unified Confidence Model)

  • ConfidenceScore model with 5-factor breakdown
  • ConfidenceCalculator service
  • Factor explanations with evidence links
  • Bounded 0.0-1.0 scores

Sprint 7000.0002.0002 (Vulnerability-First UX API)

  • FindingSummaryResponse with verdict/confidence chips
  • ProofBadges for visual indicators
  • Findings list and detail endpoints
  • Drill-down into evidence graph

Sprint 7000.0003.0001 (Evidence Graph API)

  • EvidenceGraphResponse with nodes and edges
  • Signature status per evidence node
  • Click-through to raw evidence
  • OpenAPI documentation

Sprint 7000.0003.0002 (Reachability Mini-Map API)

  • Condensed call paths
  • Entrypoint to vulnerable component visualization
  • Depth-limited graph extraction
  • Path highlighting

Sprint 7000.0003.0003 (Runtime Timeline API)

  • Time-windowed observation buckets
  • Posture determination (Supports/Contradicts/Unknown)
  • Significant event extraction
  • Session correlation

Sprint 7000.0004.0001 (Progressive Fidelity)

  • FidelityLevel enum (Quick/Standard/Deep)
  • Fidelity-aware analyzer orchestration
  • Configurable timeouts per level
  • Fidelity upgrade endpoint

Sprint 7000.0004.0002 (Evidence Size Budgets)

  • Per-scan evidence caps
  • Retention tier management
  • Size tracking and pruning
  • Budget configuration API

Sprint 7000.0005.0001 (Quality KPIs)

  • % non-UNKNOWN reachability >80%
  • % runtime corroboration >50%
  • Explainability completeness >95%
  • Dashboard endpoint operational

Module Structure

Batch 1: Competitive Moat

src/Scanner/
├── __Libraries/
│   ├── StellaOps.Scanner.Benchmark/           # NEW: Competitor comparison
│   │   ├── Corpus/                            # Ground-truth corpus
│   │   ├── Harness/                           # Comparison harness
│   │   ├── Metrics/                           # Precision/recall
│   │   └── Claims/                            # Claims index
│   ├── StellaOps.Scanner.Emit/                # ENHANCED
│   │   └── Lineage/                           # SBOM lineage tracking
│   ├── StellaOps.Scanner.Explainability/      # NEW: Assumption/falsifiability
│   └── StellaOps.Scanner.Reachability/        # ENHANCED
│       └── Stack/                             # 3-layer integration

src/Policy/
├── __Libraries/
│   └── StellaOps.Policy.Explainability/       # NEW: Assumption models

Batch 2: Explainable Triage

src/
├── Policy/
│   └── __Libraries/
│       └── StellaOps.Policy.Confidence/       # NEW: Confidence model
│           ├── Models/
│           │   ├── ConfidenceScore.cs
│           │   └── ConfidenceFactor.cs
│           └── Services/
│               └── ConfidenceCalculator.cs
├── Scanner/
│   └── __Libraries/
│       └── StellaOps.Scanner.Orchestration/   # NEW: Fidelity orchestration
│           └── Fidelity/
│               ├── FidelityLevel.cs
│               └── FidelityAwareAnalyzer.cs
├── Findings/
│   └── StellaOps.Findings.WebService/         # EXTEND: UX APIs
│       ├── Contracts/
│       │   ├── FindingSummaryResponse.cs
│       │   ├── EvidenceGraphResponse.cs
│       │   ├── ReachabilityMiniMap.cs
│       │   └── RuntimeTimeline.cs
│       └── Endpoints/
│           ├── FindingsEndpoints.cs
│           ├── EvidenceGraphEndpoints.cs
│           ├── ReachabilityMapEndpoints.cs
│           └── RuntimeTimelineEndpoints.cs
├── Evidence/                                   # NEW: Evidence management
│   └── StellaOps.Evidence/
│       ├── Budgets/
│       └── Retention/
└── Metrics/                                    # NEW: KPI tracking
    └── StellaOps.Metrics/
        └── Kpi/
            ├── TriageQualityKpis.cs
            └── KpiCollector.cs

Documentation Created

Batch 1: Competitive Moat

Document Location Purpose
Sprint Summary docs/implplan/SPRINT_7000_SUMMARY.md This file
Benchmarking Sprint docs/implplan/SPRINT_7000_0001_0001_competitive_benchmarking.md Sprint details
SBOM Lineage Sprint docs/implplan/SPRINT_7000_0001_0002_sbom_lineage.md Sprint details
Explainability Sprint docs/implplan/SPRINT_7000_0001_0003_explainability.md Sprint details
3-Layer Reachability Sprint docs/implplan/SPRINT_7000_0001_0004_three_layer_reachability.md Sprint details
Claims Index docs/claims-index.md Verifiable competitive claims
Benchmark Architecture docs/modules/benchmark/architecture.md Module dossier

Batch 2: Explainable Triage

Document Location Purpose
Implementation Plan docs/modules/platform/explainable-triage-implementation-plan.md High-level plan
Unified Confidence Model docs/implplan/SPRINT_7000_0002_0001_unified_confidence_model.md Sprint details
Vulnerability-First UX API docs/implplan/SPRINT_7000_0002_0002_vulnerability_first_ux_api.md Sprint details
Evidence Graph API docs/implplan/SPRINT_7000_0003_0001_evidence_graph_api.md Sprint details
Reachability Mini-Map API docs/implplan/SPRINT_7000_0003_0002_reachability_minimap_api.md Sprint details
Runtime Timeline API docs/implplan/SPRINT_7000_0003_0003_runtime_timeline_api.md Sprint details
Progressive Fidelity Mode docs/implplan/SPRINT_7000_0004_0001_progressive_fidelity.md Sprint details
Evidence Size Budgets docs/implplan/SPRINT_7000_0004_0002_evidence_size_budgets.md Sprint details
Quality KPIs Tracking docs/implplan/SPRINT_7000_0005_0001_quality_kpis_tracking.md Sprint details

Related Work

Completed (Leverage)

  • Sprint 3500: Score Proofs, Unknowns Registry, Reachability foundations
  • Sprint 3600: CycloneDX 1.7, SPDX 3.0.1 generation
  • EntryTrace: Semantic, temporal, mesh, binary intelligence

In Progress (Coordinate)

  • Sprint 4100: Unknowns decay, knowledge snapshots
  • Sprint 4200: Triage API, policy lattice
  • Sprint 5100: Comprehensive testing strategy
  • Sprint 6000: BinaryIndex module

Planned (Accelerate)

  • Sprint 4500.0002.0001: VEX Conflict Studio

Execution Log

Date (UTC) Update Owner
2025-12-22 Batch 1 (Competitive Moat) created from 19-Dec-2025 advisory. 4 sprints defined. Agent
2025-12-22 Batch 2 (Explainable Triage) added from 21-Dec-2025 advisory. 8 sprints defined (73 story points). Claude

Epic Status: PLANNING (0/12 sprints complete)