stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e923880694b66a819714782b43fed2b0d577a95b
git.stella-ops.org/docs/modules/scanner/design/standards-convergence-roadmap.md
StellaOps Bot e923880694
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
feat: Add DigestUpsertRequest and LockEntity models 
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
2025-12-03 07:51:50 +02:00

4.4 KiB
Raw Blame History

Scanner Standards Convergence Roadmap (SC1)

Purpose

Define the concrete steps for adopting CVSS v4.0, CycloneDX 1.7 (incl. CBOM), and SLSA 1.2 across Scanner surfaces while keeping outputs deterministic and downgrade-friendly.

Scope

  • Scanner WebService + Worker + Replay bundles.
  • Surface contracts, CLI outputs, and CAS artifacts.
  • Downgrade adapters to CVSS v3.1, CDX 1.6, SLSA 1.0 (see SC4).

Deliverables (tie to SC tasks)

  • SC1: Roadmap with milestones, owners, and schema bump governance.
  • SC2: Deterministic CDX 1.7 + CBOM contract (fields, ordering, evidence citations).
  • SC3: SLSA Source Track capture fields for replay bundles (build-id, repo refs, provenance hooks).
  • SC4: Mapping tables for downgrade adapters; deterministic mapping rules and hashes.
  • SC5/SC8: Fixture set + determinism CI (stable ordering, seeded RNG, golden hashes).
  • SC6: Binary ↔ source evidence alignment requirements (build-id, symbols, patch oracle) feeding policy/VEX.
  • SC7: API/UI surfacing contract (filters, columns, pagination defaults) with deterministic ordering.
  • SC9: Governance/RACI for schema bumps and adapter tables.
  • SC10: Offline-kit parity: DSSE-signed schemas/mappings/fixtures, frozen bundle.

Contracts & owners (v0.1)

  • Schema leads: Scanner Guild (CDX 1.7/CBOM), Sbomer Guild (mapping), Policy Guild (severity/vectors), Ops Guild (offline kit).
  • Canonical CDX 1.7/CBOM fields (min set):
    • metadata/component (purl, hashes, evidence refs),
    • services with CBOM channels (ingress/egress),
    • vulnerabilities[*].ratings[] must carry CVSS v4 and v3.1 side-by-side; deterministic order: v4 first, then v3.1.
    • Evidence citations: properties["evidence:source"], properties["evidence:proof-id"], properties["evidence:hash"].
  • SLSA Source Track (SC3):
    • replay bundle fields: source.repo, source.ref, build.id, build.invocation.hash, provenance.dsse (hash), all required.
  • Deterministic ordering rules (apply across SC2/SC5/SC8):
    • sort components by purl, ties by name, then version (ordinal, case-insensitive);
    • vulnerabilities sorted by id, then source, then severity score desc;
    • timestamps UTC ISO-8601 without sub-ms; decimal rounding 4dp for ratios, 2dp for scores.
  • Adapter tables (SC4): mapping CSVs checked in under docs/modules/scanner/fixtures/adapters/ with BLAKE3 + SHA256 hashes; adapters are pure, no net.

Fixtures (SC5/SC8)

  • Add to docs/modules/scanner/fixtures/cdx17-cbom/:
    • sample-cdx17-cbom.json (golden), sample-cdx16-downgraded.json, hashes.txt (BLAKE3, SHA256).
    • Include CBOM ingress/egress example, CVSS v4 vector, SLSA Source Track fields, evidence properties.
  • CI step: dotnet test hook runs deterministic serializer + hash assertion; env DOTNET_DISABLE_BUILTIN_GRAPH=1, fixed TZ=UTC, LC_ALL=C.

Governance (SC1/SC9)

  • Propose RACI: Product (A), Scanner TL (R), Sbomer TL (C), Policy TL (C), Ops (I).
  • Schema bump flow: draft → review → freeze → DSSE-sign schemas + fixtures → publish hash list → lock downgrade adapters.
  • Downgrade adapters cannot ship without approved mapping CSV + updated hashes.

Offline (SC10)

  • Offline kit must include: schemas, adapter CSVs, fixtures, hash list, DSSE envelope, tool versions (Syft/Trivy pinned) and their hashes.
  • Bundle path: out/offline/scanner-standards-kit-v1/. DSSE envelope references manifest with all hashes.

Milestones (proposed)

  1. Schema draft freeze (CDX 1.7/CBOM + CVSS v4 fields) — owners: Scanner Guild, due T+5d.
  2. Replay bundle field list for Source Track — owners: Scanner + Sbomer, due T+7d.
  3. Determinism harness upgrade (CI + fixtures) — owners: QA + Scanner, due T+10d.
  4. Downgrade adapter tables + hash tests — owners: Scanner, due T+12d.
  5. Offline-kit bundle update & DSSE signing — owners: Ops, due T+14d.

Determinism & Offline requirements

  • Stable field ordering, culture-invariant formatting, UTC ISO-8601 timestamps.
  • No network calls during conversion/adapters; fixed seeds for any RNG.
  • All schemas/adapters/fixtures shipped in offline kit with DSSE envelope and recorded hashes.

Open Items

  • Confirm CBOM section subset required for policy engine (ingredients vs evidence-only).
  • Decide default CVSS v4 vector precision and rounding rules.

Links

  • Sprint: docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md (tasks SC1SC10)
  • Advisory: docs/product-advisories/31-Nov-2025 FINDINGS.md