e91da22836
- Introduced attestation inventory and subject-rekor mapping files for tracking Docker packages. - Added a comprehensive crypto registry decision document outlining defaults and required follow-ups. - Created an offline feeds manifest for bundling air-gap resources. - Implemented a script to generate and update binary manifests for curated binaries. - Added a verification script to ensure binary artefacts are located in approved directories. - Defined new schemas for AdvisoryEvidenceBundle, OrchestratorEnvelope, ScannerReportReadyPayload, and ScannerScanCompletedPayload. - Established project files for StellaOps.Orchestrator.Schemas and StellaOps.PolicyAuthoritySignals.Contracts. - Updated vendor manifest to track pinned binaries for integrity.
33 lines
892 B
JSON
33 lines
892 B
JSON
{
|
|
"bundleId": "19bd7cf7-c7a6-4c1c-9b9c-6f2f794e9b1a",
|
|
"advisoryId": "CVE-2025-12345",
|
|
"tenant": "demo-tenant",
|
|
"generatedAt": "2025-11-18T12:00:00Z",
|
|
"schemaVersion": 0,
|
|
"observations": [
|
|
{
|
|
"observationId": "obs-001",
|
|
"source": "vendor.psirt",
|
|
"purl": "pkg:maven/org.example/app@1.2.3",
|
|
"cve": "CVE-2025-12345",
|
|
"severity": "critical",
|
|
"cvss": {
|
|
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
"score": 9.8
|
|
},
|
|
"summary": "Remote code execution via deserialization of untrusted data.",
|
|
"evidence": {
|
|
"statement": "Vendor confirms unauthenticated RCE in versions <1.2.4",
|
|
"references": ["https://example.com/advisory"]
|
|
}
|
|
}
|
|
],
|
|
"signatures": [
|
|
{
|
|
"signature": "MEQCID...==",
|
|
"keyId": "authority-root-1",
|
|
"algorithm": "ecdsa-p256-sha256"
|
|
}
|
|
]
|
|
}
|