40 lines
3.4 KiB
Markdown
40 lines
3.4 KiB
Markdown
# Metrics for attestation coverage and time-to-evidence
|
|
|
|
## Module
|
|
Unknowns
|
|
|
|
## Status
|
|
PARTIALLY_IMPLEMENTED
|
|
|
|
## Description
|
|
Some metrics services exist but the advisory noted metrics coverage at only 30%.
|
|
|
|
## What's Implemented
|
|
- **Unknowns Metrics Service**: `src/Unknowns/StellaOps.Unknowns.Services/UnknownsMetricsService.cs` -- exposes basic Prometheus/OpenTelemetry metrics for the unknowns queue including queue depth, resolution counts, and SLA breach counts.
|
|
- **Unknowns SLA Monitor Service**: `src/Unknowns/StellaOps.Unknowns.Services/UnknownsSlaMonitorService.cs` -- monitors SLA compliance for unknown resolution timelines, providing partial time-to-evidence tracking for the unknowns domain.
|
|
- **Unknowns SLA Health Check**: `src/Unknowns/StellaOps.Unknowns.Services/UnknownsSlaHealthCheck.cs` -- health check endpoint reporting unknowns SLA status, contributing to observability but not comprehensive attestation coverage metrics.
|
|
- **Unknown Ranking Model**: `src/Unknowns/__Libraries/StellaOps.Unknowns.Core/Models/UnknownRanking.cs` -- ranking model that includes priority scoring which could inform metrics prioritization.
|
|
|
|
## What's Missing
|
|
- **Attestation Coverage Metrics**: No metrics track what percentage of release artifacts have complete attestation chains. The unknowns metrics cover queue health but not attestation completeness across the entire pipeline (e.g., "X% of images have SBOM + VEX + provenance attestations").
|
|
- **Time-to-Evidence Metrics**: No end-to-end time-to-evidence metric exists tracking the duration from vulnerability discovery to complete evidence availability (scanner result -> reachability analysis -> VEX decision -> attestation). The SLA monitor tracks unknowns resolution time but not the broader evidence pipeline.
|
|
- **Per-Provider Coverage Breakdown**: No metrics break down attestation coverage by provider/scanner (e.g., "Trivy provides SBOM for 95% of images, reachability analysis covers 60%").
|
|
- **Evidence Freshness Metrics**: No metrics track evidence staleness (e.g., "SBOM is 30 days old, VEX decision is 7 days old") across the artifact estate.
|
|
- **Dashboard Integration**: No pre-built Grafana dashboards or Web UI panels exist for visualizing attestation coverage and time-to-evidence trends.
|
|
- **Cross-Module Metrics Aggregation**: Metrics are siloed per module (Unknowns, Attestor, EvidenceLocker); no aggregation layer combines them into a unified attestation coverage view.
|
|
|
|
## Implementation Plan
|
|
- Define attestation coverage metrics: per-artifact attestation completeness (SBOM present, VEX present, provenance present, reachability analysis present)
|
|
- Implement a metrics aggregation service that queries Attestor, EvidenceLocker, and Unknowns to compute estate-wide attestation coverage percentages
|
|
- Add time-to-evidence histogram metrics tracking the duration from vulnerability publication to complete evidence chain availability
|
|
- Add per-provider coverage breakdown metrics
|
|
- Add evidence freshness metrics (age of latest SBOM, VEX, provenance per artifact)
|
|
- Build Grafana dashboard templates for attestation coverage and time-to-evidence visualization
|
|
- Target: increase metrics coverage from 30% to 90%+ of the advisory specification
|
|
|
|
## Related Documentation
|
|
- Unknowns metrics: `src/Unknowns/StellaOps.Unknowns.Services/UnknownsMetricsService.cs`
|
|
- Attestor proof chain: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/`
|
|
- Evidence locker: `src/EvidenceLocker/`
|
|
- VexLens (VEX processing): `src/VexLens/`
|